Author Topic: G5 qemu attempts.  (Read 3236 times)

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
G5 qemu attempts.
« on: October 04, 2018, 09:49:44 AM »
I figured I'd look at trying to boot OS 9 on the G5 970fx v3.1 in Qemu, and maybe that would tell us if it would ever be doable on a real G5 CPU.

Qemu doesn't emulate a G5 logic board, it boots a Mac99 machine, near a Sawtooth.

Linux boots with the mac99 and 970fx, but OS X hangs after Call_Kernel! from BootX. It seems to be trying to read spr 304, then make a write there, over and over. I'm looking into that.

We have some reports that using Linux on a real G5, and running Qemu with KVM and cpu host, results in mach_kernel loading, but later a KP do to the drivers expecting a G5 logicboard rather than Sawtooth hardware.

Here is what I get trying to boot OS 9:

Code: [Select]
qemu-system-ppc64 -M mac99 -m 1024 -cpu ppc64 -hda ~/os9/os9.img --nographic  -net nic,model=sungem -net user -prom-env "auto-boot?=false"

>> =============================================================
>> OpenBIOS 1.1 [Aug 31 2018 11:17]
>> Configuration device id QEMU version 1 machine id 3
>> CPUs: 1
>> Memory: 1024M
>> UUID: 00000000-0000-0000-0000-000000000000
>> CPU type PowerPC,970FX
milliseconds isn't unique.
Welcome to OpenBIOS v1.1 built on Aug 31 2018 11:17

0 > boot Trying hd:,\\:tbxi...
>> switching to new context:
MacOS: unable to find a usable NVRAM partition - using offset 0x1400.
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003000, dstLength = 0x00000504, entry->dst = 0x00000000, entry->dst_len = 0x0004DA68.
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003F80, dstLength = 0x00000080, entry->dst = 0x00000000, entry->dst_len = 0x0004DA68.
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003F40, dstLength = 0x00000040, entry->dst = 0x00000000, entry->dst_len = 0x0004DA68.
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003CFC, dstLength = 0x00000204, entry->dst = 0x00000000, entry->dst_len = 0x0004DA68.
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003F00, dstLength = 0x00000040, entry->dst = 0x00000000, entry->dst_len = 0x0004DA68.
Stopping at end of FCODE, due to fatal error (see above).
EXIT
0 >

ELN, nanopico, anyone offer some insight into what's going wrong here?

Offline Daniel

  • Silver Member
  • ****
  • Posts: 196
  • Programmer, Hacker, Thinker
Re: G5 qemu attempts.
« Reply #1 on: October 04, 2018, 03:12:10 PM »
AddMemoryRelocationEntry is used to request that data structures be copied from one location to another when the system boots. It is not supposed to have multiple destinations overlapping, but that somehow happened.

I think that either the Trampoline is really confused with the device tree, or the upper 32 bits of a 64-bit address are being ignored. It's hard to tell. If you could enable the debug logging, you might be able to figure out what is going on.

There are really all sorts of problems with booting the G5. In addition to the Trampoline not knowing how to handle various devices, neither the Trampoline nor the NanoKernel are built to handle 64-bit processors. For instance, the NK does not support the 64-bit memory management architecture. The PTEs are twice as big. The bit positions are different. It will crash hard when it uses the 32-bit mmu code, assuming it doesn't crash before that.

That doesn't mean we can't do it. It just means we will have to do a lot of work.

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #2 on: October 04, 2018, 05:39:16 PM »
How would I enable debug logging?

Offline Daniel

  • Silver Member
  • ****
  • Posts: 196
  • Programmer, Hacker, Thinker
Re: G5 qemu attempts.
« Reply #3 on: October 04, 2018, 07:07:22 PM »
Set the "AAPL,debug" property on the device tree root node. It looks like Qemu will just let you add this command line option:
Code: [Select]
-prom-env aapl,debug=13FFF
If you can get to an Open Firmware prompt, you could enable the normal way:
Code: [Select]
dev / 13FFF encode-int " AAPL,debug" property

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #4 on: October 04, 2018, 08:19:38 PM »
That's a lot of debug info:

Code: [Select]
qemu-system-ppc64 -M mac99 -m 1024 -cpu ppc64 -hda ~/os9/os9.img --nographic -prom-env "aapl,debug=13FFF"

>> =============================================================
>> OpenBIOS 1.1 [Aug 31 2018 11:17]
>> Configuration device id QEMU version 1 machine id 3
>> CPUs: 1
>> Memory: 1024M
>> UUID: 00000000-0000-0000-0000-000000000000
>> CPU type PowerPC,970FX
milliseconds isn't unique.
Welcome to OpenBIOS v1.1 built on Aug 31 2018 11:17
Trying hd:,\\:tbxi...
>> switching to new context:
AAPL,debug bit settings (-OR- bits together):
       1 * = Print general informative messages.
       2 * = Print formatted Mac OS tables (except config/universal info).
       4 * = Print formatted config info table.
       8 * = Dump Mac OS tables (except config/universal info).
      10 * = Print node names while copying the device tree.
      20 * = Print property info while copying the device tree.
      40 * = Print interrupt-related info.
      80 * = Print interrupt tree traversal info.
     100 * = Print address resolution info.
     200 * = Print NV-RAM info.
     400 * = Print Mac OS "universal" info.
     800 * = Print "special" node info.
    1000 * = Load EtherPrintf utility via parcel for post FCode debugging.
    2000 * = Print BOOTP/DHCP/BSDP information.
    4000   = Allocate writable ROM aperture.
    8000   = Mark Toolbox image as non-cacheable.
   10000 * = Print parcel info while copying the device tree.
   20000   = Print information on device tree data checksums.
 1000000   = Enable the Nanokernel debugger.
 2000000   = Display the Nanokernel log during boot.
10000000   = Dont attempt to unhibernate system.
40000000   = Halt after end of FCode (useful if outputting to screen).

MacOS: RTAS not found.
work area logical address = 0x3FAD8000, physical address = 0x3FAD8000.
IsKeyDown: no keys held down
Found parcel 'Mac OS ROM Parcel', type 'rom '.
Heathrow location method better get fixed.
NVRAM path: /nvram@fff04000; result = 15
NVRAM size = 0x00002000.
NVRAM partition offset=00000000, SIG=70, size=00C1, name='      system'
NVRAM partition offset=00000C10, SIG=7F, size=003F, name='        free'
NVRAM partition offset=00001000, SIG=5A, size=0100, name=' wwwwwwwwwww'
MacOS: unable to find a usable NVRAM partition - using offset 0x1400.
MacOS NVRAM partition offset = 0x13f0
Found NVRAM node: /nvram@fff04000
RAM Disk Size: 0
DR Emulator Cache Size: 0
created node 'AAPL,CodePrepare'
parcel 'CodePrepare Node Parcel': Added property 'AAPL,prepare_order'.
node '': decompressing property 'TimeManagerLib'.
parcel 'CodePrepare Node Parcel': Added property 'TimeManagerLib'.
node '': decompressing property 'NVRAMServicesLib'.
parcel 'CodePrepare Node Parcel': Added property 'NVRAMServicesLib'.
MacOS: Found a plug-in for NVRAM.
node '': decompressing property 'RTCServicesLib'.
parcel 'CodePrepare Node Parcel': Added property 'RTCServicesLib'.
MacOS: Found a plug-in for RTC.
created node 'AAPL,CodeRegister'
node '': decompressing property 'NativePowerMgrLib'.
parcel 'CodeRegister Node Parcel': Added property 'NativePowerMgrLib'.
node '': decompressing property 'AGPLib'.
parcel 'CodeRegister Node Parcel': Added property 'AGPLib'.
node '': decompressing property 'EtherPrintfLib'.
parcel 'CodeRegister Node Parcel': Added property 'EtherPrintfLib'.
node '': decompressing property 'StartLib'.
parcel 'CodeRegister Node Parcel': Added property 'StartLib'.
  Copying first property 'name' stored at 0x3FB06F7C, devNode 0x3FAD800C
Found parcel 'Property Checksum', type 'psum'.
  Copying peer property '#address-cells' stored at 0x3FB06FB0
  Copying peer property '#size-cells' stored at 0x3FB06FDC
  Copying peer property 'clock-frequency' stored at 0x3FB07008
  Copying peer property 'model' stored at 0x3FB07034
  Copying peer property 'compatible' stored at 0x3FB07068
  Copying peer property 'device_type' stored at 0x3FB070C0
  Copying peer property 'system-id' stored at 0x3FB070F0
  Copying peer property 'copyright' stored at 0x3FB07128
Copying child device node 'aliases' of node at 0x3FAD800C.
  Copying first property 'name' stored at 0x3FB071A0, devNode 0x3FAD8030
  Copying peer property 'mac-io' stored at 0x3FB071D0
  Copying peer property 'via-cuda' stored at 0x3FB07210
  Copying peer property 'adb-keyboard' stored at 0x3FB07258
  Copying peer property 'adb-mouse' stored at 0x3FB072B0
  Copying peer property 'rtc' stored at 0x3FB07304
  Copying peer property 'nvram' stored at 0x3FB07350
  Copying peer property 'scca' stored at 0x3FB07380
  Copying peer property 'sccb' stored at 0x3FB073CC
  Copying peer property 'ide0' stored at 0x3FB07418
  Copying peer property 'hd' stored at 0x3FB07468
  Copying peer property 'disk' stored at 0x3FB074B8
  Copying peer property 'ide1' stored at 0x3FB07508
  Copying peer property 'cd' stored at 0x3FB0755C
  Copying peer property 'cdrom' stored at 0x3FB075B0
  Copying peer property 'keyboard' stored at 0x3FB07604
  Copying peer property 'screen' stored at 0x3FB07664
  Copying peer property 'kbd' stored at 0x3FB076B0
Copying device node peer 'openprom' of node at 0x3FAD8030.
  Copying first property 'name' stored at 0x3FB07710, devNode 0x3FAD803C
  Copying peer property 'device_type' stored at 0x3FB07744
  Copying peer property 'model' stored at 0x3FB07774
  Copying peer property 'relative-addressing' stored at 0x3FB077AC
  Copying peer property 'supports-bootinfo' stored at 0x3FB077D4
  Copying peer property 'boot-syntax' stored at 0x3FB077FC
Copying child device node 'client-services' of node at 0x3FAD803C.
  Copying first property 'name' stored at 0x3FB07828, devNode 0x3FAD8048
Copying device node peer 'options' of node at 0x3FAD803C.
  Copying first property 'name' stored at 0x3FB07860, devNode 0x3FAD8054
  Copying peer property 'boot-args' stored at 0x3FB07890
  Copying peer property 'boot-device' stored at 0x3FB078BC
  Copying peer property 'use-generic?' stored at 0x3FB07910
  Copying peer property 'boot-script' stored at 0x3FB07940
  Copying peer property 'boot-screen' stored at 0x3FB0796C
  Copying peer property 'vga-ndrv?' stored at 0x3FB07998
  Copying peer property 'virt-size' stored at 0x3FB079C8
  Copying peer property 'virt-base' stored at 0x3FB079F4
  Copying peer property 'load-base' stored at 0x3FB07A20
  Copying peer property 'real-size' stored at 0x3FB07A50
  Copying peer property 'real-base' stored at 0x3FB07A7C
  Copying peer property 'real-mode?' stored at 0x3FB07AA8
  Copying peer property 'little-endian?' stored at 0x3FB07AD8
  Copying peer property 'scroll-lock' stored at 0x3FB07B08
  Copying peer property 'skip-netboot?' stored at 0x3FB07B38
  Copying peer property 'default-mac-address' stored at 0x3FB07B68
  Copying peer property 'pci-probe-mask' stored at 0x3FB07B98
  Copying peer property 'selftest-#megs' stored at 0x3FB07BC4
  Copying peer property 'screen-#rows' stored at 0x3FB07BF0
  Copying peer property 'screen-#columns' stored at 0x3FB07C1C
  Copying peer property 'output-device' stored at 0x3FB07C48
  Copying peer property 'input-device' stored at 0x3FB07C94
  Copying peer property 'use-nvramrc?' stored at 0x3FB07CE0
  Copying peer property 'oem-logo?' stored at 0x3FB07D10
  Copying peer property 'oem-banner' stored at 0x3FB07D40
  Copying peer property 'oem-banner?' stored at 0x3FB07D6C
  Copying peer property 'nvramrc' stored at 0x3FB07D9C
  Copying peer property 'fcode-debug?' stored at 0x3FB07DC8
  Copying peer property 'diag-switch?' stored at 0x3FB07DF8
  Copying peer property 'boot-file' stored at 0x3FB07E28
  Copying peer property 'boot-command' stored at 0x3FB07E54
  Copying peer property 'auto-boot?' stored at 0x3FB07E84
  Copying peer property 'aapl,debug' stored at 0x3FB07EB4
Copying device node peer 'chosen' of node at 0x3FAD8054.
  Copying first property 'name' stored at 0x3FB07EE4, devNode 0x3FAD8060
  Copying peer property 'stdin' stored at 0x3FB07F14
  Copying peer property 'stdout' stored at 0x3FB07F40
  Copying peer property 'nvram' stored at 0x3FB07F6C
  Copying peer property 'mmu' stored at 0x3FB07F98
  Copying peer property 'rtc' stored at 0x3FB07FC4
  Copying peer property 'memory' stored at 0x3FB07FF0
  Copying peer property 'bootargs' stored at 0x3FB0801C
  Copying peer property 'bootpath' stored at 0x3FB08048
Copying device node peer 'builtin' of node at 0x3FAD8060.
  Copying first property 'name' stored at 0x3FB080A4, devNode 0x3FAD806C
Copying child device node 'console' of node at 0x3FAD806C.
  Copying first property 'name' stored at 0x3FB080D4, devNode 0x3FAD8078
Copying device node peer 'packages' of node at 0x3FAD806C.
  Copying first property 'name' stored at 0x3FB08104, devNode 0x3FAD8084
Copying child device node 'cmdline' of node at 0x3FAD8084.
  Copying first property 'name' stored at 0x3FB08138, devNode 0x3FAD8090
Copying device node peer 'disk-label' of node at 0x3FAD8090.
  Copying first property 'name' stored at 0x3FB08168, devNode 0x3FAD809C
Copying device node peer 'terminal-emulator' of node at 0x3FAD809C.
  Copying first property 'name' stored at 0x3FB0819C, devNode 0x3FAD80A8
Copying device node peer 'deblocker' of node at 0x3FAD80A8.
  Copying first property 'name' stored at 0x3FB081D8, devNode 0x3FAD80B4
Copying device node peer 'hfsplus-files' of node at 0x3FAD80B4.
  Copying first property 'name' stored at 0x3FB0820C, devNode 0x3FAD80C0
Copying device node peer 'hfs-files' of node at 0x3FAD80C0.
  Copying first property 'name' stored at 0x3FB08244, devNode 0x3FAD80CC
Copying device node peer 'ext2-files' of node at 0x3FAD80CC.
  Copying first property 'name' stored at 0x3FB08278, devNode 0x3FAD80D8
Copying device node peer 'iso9660-files' of node at 0x3FAD80D8.
  Copying first property 'name' stored at 0x3FB082AC, devNode 0x3FAD80E4
Copying device node peer 'grubfs-files' of node at 0x3FAD80E4.
  Copying first property 'name' stored at 0x3FB082E4, devNode 0x3FAD80F0
Copying device node peer 'mac-parts' of node at 0x3FAD80F0.
  Copying first property 'name' stored at 0x3FB0831C, devNode 0x3FAD80FC
  Copying peer property 'selected-partition-args' stored at 0x3FB08350
Copying device node peer 'pc-parts' of node at 0x3FAD80FC.
  Copying first property 'name' stored at 0x3FB08384, devNode 0x3FAD8108
Copying device node peer 'xcoff-loader' of node at 0x3FAD8108.
  Copying first property 'name' stored at 0x3FB083B8, devNode 0x3FAD8114
Copying device node peer 'elf-loader' of node at 0x3FAD8114.
  Copying first property 'name' stored at 0x3FB083F0, devNode 0x3FAD8120
Copying device node peer 'bootinfo-loader' of node at 0x3FAD8120.
  Copying first property 'name' stored at 0x3FB08424, devNode 0x3FAD812C
Copying device node peer 'cpus' of node at 0x3FAD8084.
  Copying first property 'name' stored at 0x3FB0845C, devNode 0x3FAD8138
  Copying peer property '#address-cells' stored at 0x3FB0848C
  Copying peer property '#size-cells' stored at 0x3FB084B8
Copying child device node 'PowerPC,970FX' of node at 0x3FAD8138.
  Copying first property 'name' stored at 0x3FB084E4, devNode 0x3FAD8144
  Copying peer property 'device_type' stored at 0x3FB0851C
  Copying peer property 'cpu-version' stored at 0x3FB08548
  Copying peer property 'd-cache-size' stored at 0x3FB08574
  Copying peer property 'i-cache-size' stored at 0x3FB085A0
  Copying peer property 'd-cache-sets' stored at 0x3FB085CC
  Copying peer property 'i-cache-sets' stored at 0x3FB085F8
  Copying peer property 'd-cache-block-size' stored at 0x3FB08624
  Copying peer property 'i-cache-block-size' stored at 0x3FB08650
  Copying peer property 'tlb-sets' stored at 0x3FB0867C
  Copying peer property 'tlb-size' stored at 0x3FB086A8
  Copying peer property 'timebase-frequency' stored at 0x3FB086D4
  Copying peer property 'clock-frequency' stored at 0x3FB08700
  Copying peer property 'bus-frequency' stored at 0x3FB0872C
  Copying peer property 'state' stored at 0x3FB08758
  Copying peer property 'reservation-granule-size' stored at 0x3FB08788
  Copying peer property 'reg' stored at 0x3FB087B4
  Copying peer property '64-bit' stored at 0x3FB087E0
  Copying peer property 'available' stored at 0x3FB08808
  Copying peer property 'translations' stored at 0x3FB088A0
Copying device node peer 'memory' of node at 0x3FAD8138.
  Copying first property 'name' stored at 0x3FB089D8, devNode 0x3FAD8150
  Copying peer property 'device_type' stored at 0x3FB08A08
  Copying peer property 'reg' stored at 0x3FB08A38
  Copying peer property 'available' stored at 0x3FB08A68
Copying device node peer 'rom' of node at 0x3FAD8150.
  Copying first property 'name' stored at 0x3FB08B00, devNode 0x3FAD815C
  Copying peer property 'reg' stored at 0x3FB08B2C
  Copying peer property '#address-cells' stored at 0x3FB08B5C
  Copying peer property 'ranges' stored at 0x3FB08B88
Copying child device node 'macos' of node at 0x3FAD815C.
node name 'macos': Matched parcel 'macos', device_type ''.
  Copying first property 'name' stored at 0x3FB08BBC, devNode 0x3FAD8168
  Copying peer property 'AAPL,toolbox-parcels' stored at 0x3FB08BEC
node 'macos': Added property 'MacOSROMFile-version'.
Copying device node peer 'pci' of node at 0x3FAD815C.
  Copying first property 'name' stored at 0x3FB08C4C, devNode 0x3FAD8174
  Copying peer property 'reg' stored at 0x3FB08C78
  Copying peer property 'vendor-id' stored at 0x3FB08CA8
  Copying peer property 'device-id' stored at 0x3FB08CD4
  Copying peer property 'revision-id' stored at 0x3FB08D00
  Copying peer property 'class-code' stored at 0x3FB08D2C
  Copying peer property 'min-grant' stored at 0x3FB08D58
  Copying peer property 'max-latency' stored at 0x3FB08D84
  Copying peer property 'devsel-speed' stored at 0x3FB08DB0
  Copying peer property 'subsystem-vendor-id' stored at 0x3FB08DDC
  Copying peer property 'subsystem-id' stored at 0x3FB08E08
  Copying peer property 'cache-line-size' stored at 0x3FB08E34
  Copying peer property 'device_type' stored at 0x3FB08E60
  Copying peer property 'model' stored at 0x3FB08E8C
  Copying peer property 'compatible' stored at 0x3FB08EC4
  Copying peer property '#address-cells' stored at 0x3FB08EF4
  Copying peer property '#size-cells' stored at 0x3FB08F20
  Copying peer property '#interrupt-cells' stored at 0x3FB08F4C
  Copying peer property 'ranges' stored at 0x3FB08F78
  Copying peer property 'bus-range' stored at 0x3FB08FD0
  Copying peer property 'available' stored at 0x3FB09000
  Copying peer property 'interrupt-parent' stored at 0x3FB09050
  Copying peer property 'interrupt-map' stored at 0x3FB0907C
  Copying peer property 'interrupt-map-mask' stored at 0x3FB090DC
Copying child device node 'mac-io' of node at 0x3FAD8174.
matching assigned address:
Dumping 20 bytes @ 0x001125A0
001125A0: 02006010 00000000 80000000 00000000
001125B0: 00080000

HandleSpecialNode: Mac-IO base address = 0x80000000.
  Copying first property 'name' stored at 0x3FB09114, devNode 0x3FAD8180
  Copying peer property 'vendor-id' stored at 0x3FB09144
  Copying peer property 'device-id' stored at 0x3FB09170
  Copying peer property 'revision-id' stored at 0x3FB0919C
  Copying peer property 'class-code' stored at 0x3FB091C8
  Copying peer property 'min-grant' stored at 0x3FB091F4
  Copying peer property 'max-latency' stored at 0x3FB09220
  Copying peer property 'devsel-speed' stored at 0x3FB0924C
  Copying peer property 'subsystem-vendor-id' stored at 0x3FB09278
  Copying peer property 'subsystem-id' stored at 0x3FB092A4
  Copying peer property 'cache-line-size' stored at 0x3FB092D0
  Copying peer property 'device_type' stored at 0x3FB092FC
  Copying peer property 'model' stored at 0x3FB0932C
  Copying peer property 'compatible' stored at 0x3FB09364
  Copying peer property '#address-cells' stored at 0x3FB09398
  Copying peer property '#size-cells' stored at 0x3FB093C4
  Copying peer property '#interrupt-cells' stored at 0x3FB093F0
  Copying peer property 'assigned-addresses' stored at 0x3FB0941C
Creating property - 'AAPL,address' (size = 4)
Creating property 'AAPL,address' (size = 0x4); stored at 0x3FB09458. Belongs to devNode 0x3FAD8180
  Copying peer property 'reg' stored at 0x3FB09484
  Copying peer property 'ranges' stored at 0x3FB094D4
  Copying peer property 'interrupt-parent' stored at 0x3FB09510
Copying child device node 'via-cuda' of node at 0x3FAD8180.
HandleSpecialNode: Cuda detected, VIA base address = 0x80016000.
compatible 'cuda': Matched parcel 'cuda', device_type 'via-cuda'.
  Copying first property 'name' stored at 0x3FB0953C, devNode 0x3FAD818C
  Copying peer property 'device_type' stored at 0x3FB09570
  Copying peer property '#address-cells' stored at 0x3FB095A4
  Copying peer property '#size-cells' stored at 0x3FB095D0
  Copying peer property 'compatible' stored at 0x3FB095FC
  Copying peer property 'reg' stored at 0x3FB0962C
Creating property - 'AAPL,address' (size = 4)
Creating property 'AAPL,address' (size = 0x4); stored at 0x3FB0965C. Belongs to devNode 0x3FAD818C
  Copying peer property 'interrupts' stored at 0x3FB09688
---------------- Node 'via-cuda' has 1 interrupt(s). ----------------
Processing unit_interrupt_specifier:
Raw unit_int_specifier   : 00000019 00000000
unit_interrupt_specifer[0] = 25
(ua_size = 0, is_size = 2) setting edge[0] to 1
OpenPIC setup: vectorIndex 0, intSource 25, level 1, sense 0, polarity 0
  Copying peer property '#interrupt-cells' stored at 0x3FB09768
  Copying peer property 'interrupt-parent' stored at 0x3FB09794
node 'via-cuda': Added property 'pef,AAPL,MacOS,PowerPC,register'.
node 'via-cuda': decompressing property 'pef,AAPL,MacOS,PowerPC,register'.
node 'via-cuda': Added property 'code,AAPL,MacOS,name'.
MacOS: Found a PowerPlugin.
Copying child device node 'adb' of node at 0x3FAD818C.
HandleSpecialNode: Cuda ADB detected.
  Copying first property 'name' stored at 0x3FB0D3A0, devNode 0x3FAD8198
  Copying peer property 'device_type' stored at 0x3FB0D3CC
  Copying peer property 'compatible' stored at 0x3FB0D3F8
  Copying peer property '#address-cells' stored at 0x3FB0D424
  Copying peer property '#size-cells' stored at 0x3FB0D450
Copying child device node 'keyboard' of node at 0x3FAD8198.
  Copying first property 'name' stored at 0x3FB0D47C, devNode 0x3FAD81A4
  Copying peer property 'device_type' stored at 0x3FB0D4B0
  Copying peer property 'reg' stored at 0x3FB0D4E4
Copying device node peer 'mouse' of node at 0x3FAD81A4.
  Copying first property 'name' stored at 0x3FB0D510, devNode 0x3FAD81B0
  Copying peer property 'device_type' stored at 0x3FB0D540
  Copying peer property 'reg' stored at 0x3FB0D570
  Copying peer property '#buttons' stored at 0x3FB0D59C
Copying device node peer 'rtc' of node at 0x3FAD8198.
parent name 'via-cuda': Matched parcel 'via-cuda', device_type 'rtc'.
  Copying first property 'name' stored at 0x3FB0D5C8, devNode 0x3FAD81BC
  Copying peer property 'device_type' stored at 0x3FB0D5F4
  Copying peer property 'compatible' stored at 0x3FB0D620
node 'rtc': Added property 'driver,AAPL,MacOS,PowerPC'.
node 'rtc': decompressing property 'driver,AAPL,MacOS,PowerPC'.
Copying device node peer 'power-mgt' of node at 0x3FAD81BC.
HandleSpecialNode: Cuda Power Mgt detected.
  Copying first property 'name' stored at 0x3FB0D9FC, devNode 0x3FAD81C8
  Copying peer property 'device_type' stored at 0x3FB0DA30
  Copying peer property 'mgt-kind' stored at 0x3FB0DA64
  Copying peer property 'compatible' stored at 0x3FB0DAA4
Copying device node peer 'escc' of node at 0x3FAD818C.
  Copying first property 'name' stored at 0x3FB0DAD4, devNode 0x3FAD81D4
  Copying peer property '#address-cells' stored at 0x3FB0DB04
  Copying peer property 'reg' stored at 0x3FB0DB30
Creating property - 'AAPL,address' (size = 4)
Creating property 'AAPL,address' (size = 0x4); stored at 0x3FB0DB60. Belongs to devNode 0x3FAD81D4
  Copying peer property 'device_type' stored at 0x3FB0DB8C
  Copying peer property 'compatible' stored at 0x3FB0DBBC
  Copying peer property 'ranges' stored at 0x3FB0DBF4
Copying child device node 'ch-a' of node at 0x3FAD81D4.
HandleSpecialNode: ch-a slot-name detected.
  Copying first property 'name' stored at 0x3FB0DC1C, devNode 0x3FAD81E0
  Copying peer property 'device_type' stored at 0x3FB0DC4C
  Copying peer property 'compatible' stored at 0x3FB0DC7C
  Copying peer property 'reg' stored at 0x3FB0DCB0
Creating property - 'AAPL,address' (size = 20)
Creating property 'AAPL,address' (size = 0x14); stored at 0x3FB0DD00. Belongs to devNode 0x3FAD81E0
  Copying peer property 'interrupts' stored at 0x3FB0DD3C
---------------- Node 'ch-a' has 3 interrupt(s). ----------------
Processing unit_interrupt_specifier:
Raw unit_int_specifier   : 00000025 00000001
unit_interrupt_specifer[0] = 37
(ua_size = 0, is_size = 2) setting edge[0] to 0
Processing unit_interrupt_specifier:
Raw unit_int_specifier   : 00000004 00000000
unit_interrupt_specifer[0] = 4
(ua_size = 0, is_size = 2) setting edge[1] to 1
Processing unit_interrupt_specifier:
Raw unit_int_specifier   : 00000005 00000000
unit_interrupt_specifer[0] = 5
(ua_size = 0, is_size = 2) setting edge[2] to 1
OpenPIC setup: vectorIndex 1, intSource 37, level 4, sense 1, polarity 0
OpenPIC setup: vectorIndex 2, intSource 4, level 4, sense 0, polarity 0
OpenPIC setup: vectorIndex 3, intSource 5, level 4, sense 0, polarity 0
  Copying peer property 'slot-names' stored at 0x3FB0DE4C
  Copying peer property 'interrupt-parent' stored at 0x3FB0DE78
Copying device node peer 'ch-b' of node at 0x3FAD81E0.
HandleSpecialNode: ch-b slot-name detected.
  Copying first property 'name' stored at 0x3FB0DEA4, devNode 0x3FAD81EC
  Copying peer property 'device_type' stored at 0x3FB0DED4
  Copying peer property 'compatible' stored at 0x3FB0DF04
  Copying peer property 'reg' stored at 0x3FB0DF38
Creating property - 'AAPL,address' (size = 20)
Creating property 'AAPL,address' (size = 0x14); stored at 0x3FB0DF88. Belongs to devNode 0x3FAD81EC
  Copying peer property 'interrupts' stored at 0x3FB0DFC4
---------------- Node 'ch-b' has 3 interrupt(s). ----------------
Processing unit_interrupt_specifier:
Raw unit_int_specifier   : 00000024 00000001
unit_interrupt_specifer[0] = 36
(ua_size = 0, is_size = 2) setting edge[0] to 0
Processing unit_interrupt_specifier:
Raw unit_int_specifier   : 00000006 00000000
unit_interrupt_specifer[0] = 6
(ua_size = 0, is_size = 2) setting edge[1] to 1
Processing unit_interrupt_specifier:
Raw unit_int_specifier   : 00000007 00000000
unit_interrupt_specifer[0] = 7
(ua_size = 0, is_size = 2) setting edge[2] to 1
OpenPIC setup: vectorIndex 4, intSource 36, level 4, sense 1, polarity 0
OpenPIC setup: vectorIndex 5, intSource 6, level 4, sense 0, polarity 0
OpenPIC setup: vectorIndex 6, intSource 7, level 4, sense 0, polarity 0
  Copying peer property 'slot-names' stored at 0x3FB0E0D4
  Copying peer property 'interrupt-parent' stored at 0x3FB0E100
Copying device node peer 'escc-legacy' of node at 0x3FAD81D4.
HandleSpecialNode: SCC legacy base address = 0x80012000.
  Copying first property 'name' stored at 0x3FB0E12C, devNode 0x3FAD81F8
  Copying peer property '#address-cells' stored at 0x3FB0E160
  Copying peer property 'reg' stored at 0x3FB0E18C
Creating property - 'AAPL,address' (size = 4)
Creating property 'AAPL,address' (size = 0x4); stored at 0x3FB0E1BC. Belongs to devNode 0x3FAD81F8
  Copying peer property 'device_type' stored at 0x3FB0E1E8
  Copying peer property 'compatible' stored at 0x3FB0E21C
  Copying peer property 'ranges' stored at 0x3FB0E250
Copying child device node 'ch-a' of node at 0x3FAD81F8.
HandleSpecialNode: ch-a slot-name detected.
  Copying first property 'name' stored at 0x3FB0E278, devNode 0x3FAD8204
  Copying peer property 'device_type' stored at 0x3FB0E2A8
  Copying peer property 'compatible' stored at 0x3FB0E2D8
  Copying peer property 'reg' stored at 0x3FB0E30C
Creating property - 'AAPL,address' (size = 20)
Creating property 'AAPL,address' (size = 0x14); stored at 0x3FB0E35C. Belongs to devNode 0x3FAD8204
  Copying peer property 'interrupts' stored at 0x3FB0E398
---------------- Node 'ch-a' has 3 interrupt(s). ----------------
Processing unit_interrupt_specifier:
Raw unit_int_specifier   : 00000025 00000001
unit_interrupt_specifer[0] = 37
(ua_size = 0, is_size = 2) setting edge[0] to 0
Processing unit_interrupt_specifier:
Raw unit_int_specifier   : 00000004 00000000
unit_interrupt_specifer[0] = 4
(ua_size = 0, is_size = 2) setting edge[1] to 1
Processing unit_interrupt_specifier:
Raw unit_int_specifier   : 00000005 00000000
unit_interrupt_specifer[0] = 5
(ua_size = 0, is_size = 2) setting edge[2] to 1
OpenPIC setup: vectorIndex 1, intSource 37, level 4, sense 1, polarity 0
OpenPIC setup: vectorIndex 2, intSource 4, level 4, sense 0, polarity 0
OpenPIC setup: vectorIndex 3, intSource 5, level 4, sense 0, polarity 0
  Copying peer property 'slot-names' stored at 0x3FB0E4A8
  Copying peer property 'interrupt-parent' stored at 0x3FB0E4D4
Copying device node peer 'ch-b' of node at 0x3FAD8204.
HandleSpecialNode: ch-b slot-name detected.
  Copying first property 'name' stored at 0x3FB0E500, devNode 0x3FAD8210
  Copying peer property 'device_type' stored at 0x3FB0E530
  Copying peer property 'compatible' stored at 0x3FB0E560
  Copying peer property 'reg' stored at 0x3FB0E594
Creating property - 'AAPL,address' (size = 20)
Creating property 'AAPL,address' (size = 0x14); stored at 0x3FB0E5E4. Belongs to devNode 0x3FAD8210
  Copying peer property 'interrupts' stored at 0x3FB0E620
---------------- Node 'ch-b' has 3 interrupt(s). ----------------
Processing unit_interrupt_specifier:
Raw unit_int_specifier   : 00000024 00000001
unit_interrupt_specifer[0] = 36
(ua_size = 0, is_size = 2) setting edge[0] to 0
Processing unit_interrupt_specifier:
Raw unit_int_specifier   : 00000006 00000000
unit_interrupt_specifer[0] = 6
(ua_size = 0, is_size = 2) setting edge[1] to 1
Processing unit_interrupt_specifier:
Raw unit_int_specifier   : 00000007 00000000
unit_interrupt_specifer[0] = 7
(ua_size = 0, is_size = 2) setting edge[2] to 1
OpenPIC setup: vectorIndex 4, intSource 36, level 4, sense 1, polarity 0
OpenPIC setup: vectorIndex 5, intSource 6, level 4, sense 0, polarity 0
OpenPIC setup: vectorIndex 6, intSource 7, level 4, sense 0, polarity 0
  Copying peer property 'slot-names' stored at 0x3FB0E730
  Copying peer property 'interrupt-parent' stored at 0x3FB0E75C
Copying device node peer 'ata-3' of node at 0x3FAD81F8.
compatible 'keylargo-ata': Matched parcel 'keylargo-ata', device_type 'ata'.
  Copying first property 'name' stored at 0x3FB0E788, devNode 0x3FAD821C
  Copying peer property 'device_type' stored at 0x3FB0E7B8
  Copying peer property '#address-cells' stored at 0x3FB0E7E4
  Copying peer property '#size-cells' stored at 0x3FB0E810
  Copying peer property 'compatible' stored at 0x3FB0E83C
  Copying peer property 'model' stored at 0x3FB0E874
  Copying peer property 'AAPL,connector' stored at 0x3FB0E8A4
  Copying peer property 'AAPL,pio-timing' stored at 0x3FB0E8D0
  Copying peer property 'interrupts' stored at 0x3FB0E918
---------------- Node 'ata-3' has 2 interrupt(s). ----------------
Processing unit_interrupt_specifier:
Raw unit_int_specifier   : 0000000D 00000001
unit_interrupt_specifer[0] = 13
(ua_size = 0, is_size = 2) setting edge[0] to 0
Processing unit_interrupt_specifier:
Raw unit_int_specifier   : 00000002 00000000
unit_interrupt_specifer[0] = 2
(ua_size = 0, is_size = 2) setting edge[1] to 1
OpenPIC setup: vectorIndex 7, intSource 13, level 2, sense 1, polarity 0
OpenPIC setup: vectorIndex 8, intSource 2, level 4, sense 0, polarity 0
  Copying peer property '#interrupt-cells' stored at 0x3FB0EA10
  Copying peer property 'reg' stored at 0x3FB0EA3C
Creating property - 'AAPL,address' (size = 8)
Creating property 'AAPL,address' (size = 0x8); stored at 0x3FB0EA74. Belongs to devNode 0x3FAD821C
  Copying peer property 'AAPL,bus-id' stored at 0x3FB0EAA4
  Copying peer property 'interrupt-parent' stored at 0x3FB0EAD0
node 'ata-3': Added property 'driver,AAPL,MacOS,PowerPC'.
node 'ata-3': decompressing property 'driver,AAPL,MacOS,PowerPC'.
Copying child device node 'disk' of node at 0x3FAD821C.
  Copying first property 'name' stored at 0x3FB14868, devNode 0x3FAD8228
  Copying peer property 'device_type' stored at 0x3FB14898
  Copying peer property '#address-cells' stored at 0x3FB148C8
  Copying peer property '#size-cells' stored at 0x3FB148F4
  Copying peer property 'reg' stored at 0x3FB14920
Copying device node peer 'ata-3' of node at 0x3FAD821C.
compatible 'keylargo-ata': Matched parcel 'keylargo-ata', device_type 'ata'.
  Copying first property 'name' stored at 0x3FB1494C, devNode 0x3FAD8234
  Copying peer property 'device_type' stored at 0x3FB1497C
  Copying peer property '#address-cells' stored at 0x3FB149A8
  Copying peer property '#size-cells' stored at 0x3FB149D4
  Copying peer property 'compatible' stored at 0x3FB14A00
  Copying peer property 'model' stored at 0x3FB14A38
  Copying peer property 'AAPL,connector' stored at 0x3FB14A68
  Copying peer property 'AAPL,pio-timing' stored at 0x3FB14A94
  Copying peer property 'interrupts' stored at 0x3FB14ADC
---------------- Node 'ata-3' has 2 interrupt(s). ----------------
Processing unit_interrupt_specifier:
Raw unit_int_specifier   : 0000000E 00000001
unit_interrupt_specifer[0] = 14
(ua_size = 0, is_size = 2) setting edge[0] to 0
Processing unit_interrupt_specifier:
Raw unit_int_specifier   : 00000003 00000000
unit_interrupt_specifer[0] = 3
(ua_size = 0, is_size = 2) setting edge[1] to 1
OpenPIC setup: vectorIndex 9, intSource 14, level 2, sense 1, polarity 0
OpenPIC setup: vectorIndex 10, intSource 3, level 4, sense 0, polarity 0
  Copying peer property '#interrupt-cells' stored at 0x3FB14BD4
  Copying peer property 'reg' stored at 0x3FB14C00
Creating property - 'AAPL,address' (size = 8)
Creating property 'AAPL,address' (size = 0x8); stored at 0x3FB14C38. Belongs to devNode 0x3FAD8234
  Copying peer property 'AAPL,bus-id' stored at 0x3FB14C68
  Copying peer property 'interrupt-parent' stored at 0x3FB14C94
node 'ata-3': Added property 'driver,AAPL,MacOS,PowerPC'.
node 'ata-3': decompressing property 'driver,AAPL,MacOS,PowerPC'.
Copying child device node 'cdrom' of node at 0x3FAD8234.
  Copying first property 'name' stored at 0x3FB1AA2C, devNode 0x3FAD8240
  Copying peer property 'device_type' stored at 0x3FB1AA5C
  Copying peer property '#address-cells' stored at 0x3FB1AA8C
  Copying peer property '#size-cells' stored at 0x3FB1AAB8
  Copying peer property 'reg' stored at 0x3FB1AAE4
Copying device node peer 'interrupt-controller' of node at 0x3FAD8234.
HandleSpecialNode: Host OpenPIC has base address = 0x80040000.
  Copying first property 'name' stored at 0x3FB1AB10, devNode 0x3FAD824C
  Copying peer property 'device_type' stored at 0x3FB1AB50
  Copying peer property 'compatible' stored at 0x3FB1AB84
  Copying peer property 'built-in' stored at 0x3FB1ABBC
  Copying peer property 'reg' stored at 0x3FB1ABE4
Creating property - 'AAPL,address' (size = 4)
Creating property 'AAPL,address' (size = 0x4); stored at 0x3FB1AC14. Belongs to devNode 0x3FAD824C
  Copying peer property '#interrupt-cells' stored at 0x3FB1AC40
  Copying peer property '#address-cells' stored at 0x3FB1AC6C
  Copying peer property 'interrupt-controller' stored at 0x3FB1AC98
  Copying peer property 'clock-frequency' stored at 0x3FB1ACC0
Copying device node peer 'usb' of node at 0x3FAD8180.
  Copying first property 'name' stored at 0x3FB1ACEC, devNode 0x3FAD8258
  Copying peer property 'vendor-id' stored at 0x3FB1AD18
  Copying peer property 'device-id' stored at 0x3FB1AD44
  Copying peer property 'revision-id' stored at 0x3FB1AD70
  Copying peer property 'class-code' stored at 0x3FB1AD9C
  Copying peer property 'interrupts' stored at 0x3FB1ADC8
---------------- Node 'usb' has 1 interrupt(s). ----------------
Processing unit_interrupt_specifier:
Raw unit_int_specifier   : 00006800 00000000 00000000 00000001
Interrupt-map-mask values: 00FFF800 00000000 00000000 00000007

Comparing interrupt-map entries to this unit_interrupt_specifier:

Masked unit_int_specifier: 00006800 00000000 00000000 00000001
Interrupt-map child spec : 00006800 00000000 00000000 00000001
New unit_int_specifier   : 0000001C 00000001

unit_interrupt_specifer[0] = 28
(ua_size = 0, is_size = 2) setting edge[0] to 0
OpenPIC setup: vectorIndex 11, intSource 28, level 2, sense 1, polarity 0
  Copying peer property 'min-grant' stored at 0x3FB1AEA4
  Copying peer property 'max-latency' stored at 0x3FB1AED0
  Copying peer property 'devsel-speed' stored at 0x3FB1AEFC
  Copying peer property 'subsystem-vendor-id' stored at 0x3FB1AF28
  Copying peer property 'subsystem-id' stored at 0x3FB1AF54
  Copying peer property 'cache-line-size' stored at 0x3FB1AF80
  Copying peer property 'device_type' stored at 0x3FB1AFAC
  Copying peer property 'compatible' stored at 0x3FB1AFD8
  Copying peer property '#address-cells' stored at 0x3FB1B01C
  Copying peer property 'assigned-addresses' stored at 0x3FB1B048
Creating property - 'AAPL,address' (size = 4)
Creating property 'AAPL,address' (size = 0x4); stored at 0x3FB1B084. Belongs to devNode 0x3FAD8258
  Copying peer property 'reg' stored at 0x3FB1B0B0
Copying child device node 'keyboard' of node at 0x3FAD8258.
  Copying first property 'name' stored at 0x3FB1B100, devNode 0x3FAD8264
  Copying peer property 'device_type' stored at 0x3FB1B134
Copying device node peer 'QEMU,VGA' of node at 0x3FAD8258.
device_type 'display': Matched parcel 'cofb', device_type 'display'.
  Copying first property 'name' stored at 0x3FB1B168, devNode 0x3FAD8270
  Copying peer property 'vendor-id' stored at 0x3FB1B19C
  Copying peer property 'device-id' stored at 0x3FB1B1C8
  Copying peer property 'revision-id' stored at 0x3FB1B1F4
  Copying peer property 'class-code' stored at 0x3FB1B220
  Copying peer property 'min-grant' stored at 0x3FB1B24C
  Copying peer property 'max-latency' stored at 0x3FB1B278
  Copying peer property 'devsel-speed' stored at 0x3FB1B2A4
  Copying peer property 'subsystem-vendor-id' stored at 0x3FB1B2D0
  Copying peer property 'subsystem-id' stored at 0x3FB1B2FC
  Copying peer property 'cache-line-size' stored at 0x3FB1B328
  Copying peer property 'device_type' stored at 0x3FB1B354
  Copying peer property 'model' stored at 0x3FB1B384
  Copying peer property 'compatible' stored at 0x3FB1B3B8
  Copying peer property 'assigned-addresses' stored at 0x3FB1B3E4
Creating property - 'AAPL,address' (size = 8)
Creating property 'AAPL,address' (size = 0x8); stored at 0x3FB1B434. Belongs to devNode 0x3FAD8270
  Copying peer property 'reg' stored at 0x3FB1B464
  Copying peer property 'width' stored at 0x3FB1B4C8
  Copying peer property 'height' stored at 0x3FB1B4F4
  Copying peer property 'depth' stored at 0x3FB1B520
  Copying peer property 'linebytes' stored at 0x3FB1B54C
  Copying peer property 'driver,AAPL,MacOS,PowerPC' stored at 0x3FB1B578
node 'QEMU,VGA': Did NOT replace property 'driver,AAPL,MacOS,PowerPC'.
node 'QEMU,VGA': Property NOT added (already loaded) 'driver,AAPL,MacOS,PowerPC'.
Copying device node peer 'NE2000' of node at 0x3FAD8270.
  Copying first property 'name' stored at 0x3FB1EF44, devNode 0x3FAD827C
  Copying peer property 'vendor-id' stored at 0x3FB1EF74
  Copying peer property 'device-id' stored at 0x3FB1EFA0
  Copying peer property 'revision-id' stored at 0x3FB1EFCC
  Copying peer property 'class-code' stored at 0x3FB1EFF8
  Copying peer property 'interrupts' stored at 0x3FB1F024
---------------- Node 'NE2000' has 1 interrupt(s). ----------------
Processing unit_interrupt_specifier:
Raw unit_int_specifier   : 00007800 00000000 00000000 00000001
Interrupt-map-mask values: 00FFF800 00000000 00000000 00000007

Comparing interrupt-map entries to this unit_interrupt_specifier:

Masked unit_int_specifier: 00007800 00000000 00000000 00000001
Interrupt-map child spec : 00006800 00000000 00000000 00000001
Interrupt-map child spec : 00007800 00000000 00000000 00000001
New unit_int_specifier   : 0000001E 00000001

unit_interrupt_specifer[0] = 30
(ua_size = 0, is_size = 2) setting edge[0] to 0
OpenPIC setup: vectorIndex 12, intSource 30, level 2, sense 1, polarity 0
  Copying peer property 'min-grant' stored at 0x3FB1F100
  Copying peer property 'max-latency' stored at 0x3FB1F12C
  Copying peer property 'devsel-speed' stored at 0x3FB1F158
  Copying peer property 'subsystem-vendor-id' stored at 0x3FB1F184
  Copying peer property 'subsystem-id' stored at 0x3FB1F1B0
  Copying peer property 'cache-line-size' stored at 0x3FB1F1DC
  Copying peer property 'device_type' stored at 0x3FB1F208
  Copying peer property 'model' stored at 0x3FB1F238
  Copying peer property 'assigned-addresses' stored at 0x3FB1F26C
Creating property - 'AAPL,address' (size = 4)
Creating property 'AAPL,address' (size = 0x4); stored at 0x3FB1F2A8. Belongs to devNode 0x3FAD827C
  Copying peer property 'reg' stored at 0x3FB1F2D4
  Copying peer property 'network-type' stored at 0x3FB1F324
  Copying peer property 'removable' stored at 0x3FB1F358
  Copying peer property 'category' stored at 0x3FB1F388
Copying device node peer 'nvram' of node at 0x3FAD8174.
compatible 'nvram,flash': Matched parcel 'nvram,flash', device_type 'nvram'.
  Copying first property 'name' stored at 0x3FB1F3B4, devNode 0x3FAD8288
  Copying peer property '#bytes' stored at 0x3FB1F3E4
  Copying peer property 'reg' stored at 0x3FB1F410
  Copying peer property 'device_type' stored at 0x3FB1F440
  Copying peer property 'compatible' stored at 0x3FB1F470
node 'nvram': Added property 'driver,AAPL,MacOS,PowerPC'.
node 'nvram': decompressing property 'driver,AAPL,MacOS,PowerPC'.
Copying device node peer 'uni-n' of node at 0x3FAD8288.
  Copying first property 'name' stored at 0x3FB1FFA8, devNode 0x3FAD8294
  Copying peer property 'device_type' stored at 0x3FB1FFD8
  Copying peer property 'compatible' stored at 0x3FB20014
  Copying peer property 'device-rev' stored at 0x3FB20048
  Copying peer property 'reg' stored at 0x3FB20074
MacOS: found RTAS replacement plug-ins -- tossing RTAS.

Creating dynamic ProductInfo & Friends
-- Dynamic ProductInfoPtr (logical) = 3FB200A4
-- SizeOf( ProductInfo )  = 108
-- Converting UniveralInfoTableBase to 68k logical address 3FB200A4.
Initializing ProductInfo record
-- Initializing productInfoVers to 2.
Initializing static section of DecoderInfoPrivate.
Initializing DecoderTable.
-- Initializing (logical) ROMAddr (which is ALWAYS FFC00000).
-- Initializing OpenPICBaseAddr.
---- OpenPICAddr = 80040000.
-- Initializing HeathrowBaseAddr.
-- Initializing VIA1 address.
---- VIA1Addr = 80016000.
-- Initializing SCC addresses.
---- SCC base address = 80012000.
-- Initializing Mesh SCSI information.
-- Initializing ADB information.
---- ADB (of some sort) detected.
-- ASSUMPTION -- we ALWAYS have some sort of ATA.
-- Initializing Sound information.
---- No Sound (of some sort) detected!
-- Initializing extValid bits.
---- extValid bits set to 03000006.
-- Initializing extValid1 bits.
---- extValid1 bits set to 0780880E.
-- Initializing HwCfgWord bits.
---- HwCfgWord bits set to 0480.

Dynamic ProductInfo Table:
Dumping 108 bytes @ 0x3FB200A4
3FB200A4: 00000094 00000000 00000000 00000000
3FB200B4: 0480001A 00000002 0000001C 60000000
3FB200C4: 00000000 03000006 0780880E 00000000
3FB200D4: 00000000 00000000 00000000 00000000
3FB200E4: 00000000 00000000 00000000 00000000
3FB200F4: 00000000 00000000 00000000 00000000
3FB20104: 00000000 00000000 00000000

Dynamic DecoderPrivateInfo Table:
Dumping 40 bytes @ 0x3FB20110
3FB20110: 0000001C 60000000 00000000 03000006
3FB20120: 0780880E 00000000 00000000 00000000
3FB20130: 1A010000 00000000

Dynamic DecoderInfo Table:
Dumping 384 bytes @ 0x3FB20138
3FB20138: FFC00000 00000000 80016000 80012000
3FB20148: 80012000 00000000 00000000 00000000
3FB20158: 00000000 00000000 00000000 00000000
3FB20168: 00000000 00000000 00000000 00000000
3FB20178: 00000000 00000000 00000000 00000000
3FB20188: 00000000 00000000 00000000 00000000
3FB20198: 00000000 00000000 00000000 00000000
3FB201A8: 00000000 00000000 00000000 00000000
3FB201B8: 00000000 00000000 00000000 00000000
3FB201C8: 00000000 00000000 00000000 00000000
3FB201D8: 00000000 00000000 00000000 00000000
3FB201E8: 00000000 00000000 00000000 00000000
3FB201F8: 00000000 00000000 00000000 00000000
3FB20208: 00000000 00000000 00000000 00000000
3FB20218: 00000000 00000000 00000000 00000000
3FB20228: 00000000 80040000 00010100 00000000
3FB20238: 00000000 00000000 00000000 00000000
3FB20248: 00000000 00000000 00000000 00000000
3FB20258: 00000000 00000000 00000000 00000000
3FB20268: 00000000 00000000 00000000 00000000
3FB20278: 00000000 00000000 00000000 00000000
3FB20288: 00000000 00000000 00000000 00000000
3FB20298: 00000000 00000000 00000000 00000000
3FB202A8: 00000000 00000000 00000000 00000000


Interrupt masks:
Dumping 64 bytes @ 0x3FEDF000
3FEDF000: 00000000 80000000 01580000 00000000
3FEDF010: 7EA00000 00000000 00000000 00000000
3FEDF020: 00000000 00000000 00000000 00000000
3FEDF030: 00000000 00000000 00000000 00000000

  Level         Raw Value  Bits active
    0 [00..31]  00000000   
      [32..63]  00000000   
    1 [00..31]  80000000   0
      [32..63]  00000000   
    2 [00..31]  01580000   7 9 11 12
      [32..63]  00000000   
    3 [00..31]  00000000   
      [32..63]  00000000   
    4 [00..31]  7EA00000   1 2 3 4 5 6 8 10
      [32..63]  00000000   
    5 [00..31]  00000000   
      [32..63]  00000000   
    6 [00..31]  00000000   
      [32..63]  00000000   
    7 [00..31]  00000000   
      [32..63]  00000000   

Interrupt vectors:
Dumping 128 bytes @ 0x3FEDD000
3FEDD000: 00190025 00040005 00240006 0007000D
3FEDD010: 0002000E 0003001C 001EFFFF FFFFFFFF
3FEDD020: 00000000 00000000 00000000 00000000
3FEDD030: 00000000 00000000 00000000 00000000
3FEDD040: 00000000 00000000 00000000 00000000
3FEDD050: 00000000 00000000 00000000 00000000
3FEDD060: 00000000 00000000 00000000 00000000
3FEDD070: 00000000 00000000 00000000 00000000

Interrupt priorities:
Dumping 64 bytes @ 0x3FEDC000
3FEDC000: 01040404 04040402 04020402 02000000
3FEDC010: 00000000 00000000 00000000 00000000
3FEDC020: 00000000 00000000 00000000 00000000
3FEDC030: 00000000 00000000 00000000 00000000

Spurious interrupt vector = 0x40
SCSIIntVect = 2048
SCCAIntVect = 37
SCCBIntVect = 36
VIAIntVect  = 25
ADBIntVect  = 2048
NMIIntVect  = 2048
OpenPIC @ 80040000 setup: setting interrupt source 25 to 0x00000180
OpenPIC @ 80040000 setup: setting interrupt source 37 to 0x01004480
OpenPIC @ 80040000 setup: setting interrupt source  4 to 0x02000480
OpenPIC @ 80040000 setup: setting interrupt source  5 to 0x03000480
OpenPIC @ 80040000 setup: setting interrupt source 36 to 0x04004480
OpenPIC @ 80040000 setup: setting interrupt source  6 to 0x05000480
OpenPIC @ 80040000 setup: setting interrupt source  7 to 0x06000480
OpenPIC @ 80040000 setup: setting interrupt source 13 to 0x07004280
OpenPIC @ 80040000 setup: setting interrupt source  2 to 0x08000480
OpenPIC @ 80040000 setup: setting interrupt source 14 to 0x09004280
OpenPIC @ 80040000 setup: setting interrupt source  3 to 0x0A000480
OpenPIC @ 80040000 setup: setting interrupt source 28 to 0x0B004280
OpenPIC @ 80040000 setup: setting interrupt source 30 to 0x0C004280
ToolboxImage current logical address = 0x3F400000, ToolboxImage final physical address = 0x00C00000.
ConfigInfo logical address in current ROM image = 0x3F70D000.
configinfop->ROMImageBaseOffset address  = 0x00BFD000.
configinfop->Mac68KROMOffset address     = 0x00BFD000.
configinfop->HWInitCodeOffset address    = 0x00000000.
configinfop->DiagPEFBundleOffset address = 0x00000000.
configinfop->KernelCodeOffset address    = 0x00F0D000.
configinfop->EmulatorCodeOffset address  = 0x00000000.
configinfop->OpcodeTableOffset address   = 0x00000000.
AddPageMapEntry: LA = 0xF0000000, count = 0x10000, PA = 0xF0000000, pageAttr = 0x003A, flags = 0x00.
Next free PageMap entry for segment 0xF is entry 0.
AddPageMapEntry: LA = 0x80000000, count = 0x0080, PA = 0x80000000, pageAttr = 0x003A, flags = 0x00.
Next free PageMap entry for segment 0x8 is entry 0.
AddPageMapEntry: LA = 0x80080000, count = 0x0001, PA = 0x80080000, pageAttr = 0x003A, flags = 0x00.
Next free PageMap entry for segment 0x8 is entry 1.
AddPageMapEntry: LA = 0x81000000, count = 0x1000, PA = 0x81000000, pageAttr = 0x0032, flags = 0x00.
Next free PageMap entry for segment 0x8 is entry 2.
AddPageMapEntry: LA = 0x82000000, count = 0x0001, PA = 0x82000000, pageAttr = 0x003A, flags = 0x00.
Next free PageMap entry for segment 0x8 is entry 3.
AddPageMapEntry: LA = 0x50000000, count = 0xFFFE, PA = 0x00000000, pageAttr = 0x0A00, flags = 0x00.
Next free PageMap entry for segment 0x5 is entry 0.
AddPageMapEntry: LA = 0x50000000, count = 0xFFFE, PA = 0x00000000, pageAttr = 0x0A00, flags = 0x00.
Next free PageMap entry for segment 0x5 is entry 1.
AddPageMapEntry: LA = 0x5FFFE000, count = 0x0001, PA = 0x00000000, pageAttr = 0x0012, flags = 0x01.
Next free PageMap entry for segment 0x5 is entry 2.
AddPageMapEntry: LA = 0x68FFF000, count = 0x0001, PA = 0x00000000, pageAttr = 0x0012, flags = 0x03.
Next free PageMap entry for segment 0x6 is entry 0.
AddPageMapEntry: LA = 0x68FFE000, count = 0x0001, PA = 0x00000000, pageAttr = 0x0011, flags = 0x02.
Next free PageMap entry for segment 0x6 is entry 1.
AddPageMapEntry: LA = 0x80060000, count = 0x0001, PA = 0x80060000, pageAttr = 0x003A, flags = 0x00.
Next free PageMap entry for segment 0x8 is entry 4.
AddPageMapEntry: LA = 0x68FEF000, count = 0x0001, PA = 0x00003000, pageAttr = 0x0013, flags = 0x00.
Next free PageMap entry for segment 0x6 is entry 2.
AddPageMapEntry: LA = 0x64000000, count = 0x0180, PA = 0x00000000, pageAttr = 0x0012, flags = 0x00.
Next free PageMap entry for segment 0x6 is entry 3.
--- Dumping PageMapStateTable ---
Segment = 0x5, LA = 0x00000000, count = 0xFFFD, PA = 0x00000000, pageAttr = 0x0A00, flags = 0x00.
Segment = 0x5, LA = 0x00000000, count = 0xFFFD, PA = 0x00000000, pageAttr = 0x0A00, flags = 0x00.
Segment = 0x5, LA = 0xFFFE0000, count = 0x0000, PA = 0x00000000, pageAttr = 0x0012, flags = 0x01.
Segment = 0x6, LA = 0x40000000, count = 0x017F, PA = 0x00000000, pageAttr = 0x0012, flags = 0x00.
Segment = 0x0, LA = 0x00000000, count = 0x0000, PA = 0x00003000, pageAttr = 0x0000, flags = 0x00.
Segment = 0x6, LA = 0x8FFE0000, count = 0x0000, PA = 0x00000000, pageAttr = 0x0011, flags = 0x02.
Segment = 0x6, LA = 0x00000000, count = 0x0000, PA = 0x00000000, pageAttr = 0x0000, flags = 0x03.
Segment = 0x0, LA = 0x00000000, count = 0x005F, PA = 0x00000000, pageAttr = 0x0000, flags = 0x00.
Segment = 0x8, LA = 0x00600000, count = 0x0000, PA = 0x80060000, pageAttr = 0x003A, flags = 0x00.
Segment = 0x0, LA = 0x00610000, count = 0xFF9E, PA = 0x00061000, pageAttr = 0x0000, flags = 0x00.
Segment = 0x0, LA = 0x00800000, count = 0x0000, PA = 0x80080000, pageAttr = 0x003A, flags = 0x00.
Segment = 0x8, LA = 0x10000000, count = 0x0FFF, PA = 0x81000000, pageAttr = 0x0032, flags = 0x00.
Segment = 0x0, LA = 0x00000000, count = 0x0000, PA = 0x00000000, pageAttr = 0x0000, flags = 0x00.
Segment = 0xF, LA = 0x00000000, count = 0xFFFF, PA = 0xF0000000, pageAttr = 0x003A, flags = 0x00.
ConfigInfo table:
Dumping 1792 bytes @ 0x3FEDB000
3FEDB000: 00000000 00000000 00000000 00000000
3FEDB010: 00000000 00000000 00000000 00000000
3FEDB020: 00000000 00000000 00BFD000 00400000
3FEDB030: 00000000 00BFD000 00300000 00000000
3FEDB040: 00000000 00000000 00000000 00F0D000
3FEDB050: 00000000 00000000 00000000 00000000
3FEDB060: 00000000 4E657757 6F726C64 2076312E
3FEDB070: 30202020 00000F00 00000100 00000070
3FEDB080: 0000E8B0 0000E8C0 00200000 FF9FFFFF
3FEDB090: 00E00000 80060000 06000000 5FFFE000
3FEDB0A0: 68FFE000 68FFF000 68080000 68060000
3FEDB0B0: 000003A0 00000012 00000180 000003AC
3FEDB0C0: 00000060 00000088 00000090 00000000
3FEDB0D0: 00000000 00000010 00100000 00000020
3FEDB0E0: 00200000 00000030 00300000 00000040
3FEDB0F0: 00400000 00000050 00500000 00000078
3FEDB100: 00600000 000000B0 00700000 000000C8
3FEDB110: 00800000 00000108 00900000 00000118
3FEDB120: 00A00000 00000128 00B00000 00000138
3FEDB130: 00C00000 00000148 00D00000 00000158
3FEDB140: 00E00000 00000168 00F00000 00000000
3FEDB150: 00000000 00000010 00100000 00000020
3FEDB160: 00200000 00000030 00300000 00000040
3FEDB170: 00400000 00000050 00500000 00000078
3FEDB180: 00600000 000000B0 00700000 000000C8
3FEDB190: 00800000 00000108 00900000 00000118
3FEDB1A0: 00A00000 00000128 00B00000 00000138
3FEDB1B0: 00C00000 00000148 00D00000 00000158
3FEDB1C0: 00E00000 00000168 00F00000 00000000
3FEDB1D0: 00000000 00000010 00100000 00000020
3FEDB1E0: 00200000 00000030 00300000 00000040
3FEDB1F0: 00400000 00000050 00500000 00000078
3FEDB200: 00600000 000000B0 00700000 000000C8
3FEDB210: 00800000 00000108 00900000 00000118
3FEDB220: 00A00000 00000128 00B00000 00000138
3FEDB230: 00C00000 00000148 00D00000 00000158
3FEDB240: 00E00000 00000168 00F00000 00000000
3FEDB250: 00000000 00000010 00100000 00000020
3FEDB260: 00200000 00000030 00300000 00000040
3FEDB270: 00400000 00000050 00500000 00000078
3FEDB280: 00600000 000000B0 00700000 000000C8
3FEDB290: 00800000 00000108 00900000 00000118
3FEDB2A0: 00A00000 00000128 00B00000 00000138
3FEDB2B0: 00C00000 00000148 00D00000 00000158
3FEDB2C0: 00E00000 00000168 00F00000 00000000
3FEDB2D0: 00000000 FFC0007F 00C00043 0000007F
3FEDB2E0: 00C00043 6800001F 00F00043 00000000
3FEDB2F0: 00000000 00000000 00000000 00000000
3FEDB300: 00000000 00000000 00000000 00000000
3FEDB310: 00000000 00000000 00000000 00000000
3FEDB320: 00000000 00000000 00000000 00000000
3FEDB330: 00000000 00000000 00000000 00000000
3FEDB340: 00000000 00000000 00000000 13FF13FF
3FEDB350: 13FF13FF F3FFF3FF 13FF13FF 00000000
3FEDB360: 00004000 00000000 00000000 00000000
3FEDB370: 00000000 00000000 01010000 00000000
3FEDB380: 00000000 00000000 00000000 00000000
3FEDB390: 00000000 00000000 00000000 00000000
3FEDB3A0: 00000004 FFC0002A 00000000 0000FFFF
3FEDB3B0: 00000A00 0000FFFF 00000A00 0000FFFF
3FEDB3C0: 00000A00 0000FFFF 00000A00 0000FFFF
3FEDB3D0: 00000A00 0000FFFF 00000A00 0000FFFF
3FEDB3E0: 00000A00 0000FFFF 00000A00 0000FFFF
3FEDB3F0: 00000A00 0000FFFF 00000A00 0000FFFD
3FEDB400: 00000A00 0000FFFD 00000A00 FFFE0000
3FEDB410: 00000012 0000FFFF 00000A00 0000FFFF
3FEDB420: 00000A00 4000017F 00000012 00000000
3FEDB430: 00003000 8FFE0000 00000011 00000000
3FEDB440: 00000000 0000FFFF 00000A01 0000FFFF
3FEDB450: 00000A01 0000FFFF 00000A00 0000FFFF
3FEDB460: 00000A01 0000FFFF 00000A01 0000FFFF
3FEDB470: 00000A00 0000005F 00000000 00600000
3FEDB480: 8006003A 0061FF9E 00061000 00800000
3FEDB490: 8008003A 10000FFF 81000032 00000000
3FEDB4A0: 00000000 0000FFFF 80000A01 0000FFFF
3FEDB4B0: 00000A00 0000FFFF 90000A01 0000FFFF
3FEDB4C0: 00000A00 0000FFFF A0000A01 0000FFFF
3FEDB4D0: 00000A00 0000FFFF B0000A01 0000FFFF
3FEDB4E0: 00000A00 0000FFFF C0000A01 0000FFFF
3FEDB4F0: 00000A00 0000FFFF D0000A01 0000FFFF
3FEDB500: 00000A00 0000FFFF E0000A01 0000FFFF
3FEDB510: 00000A00 0000FFFF F000003A 0000FFFF
3FEDB520: F0000A01 0000FFFF 00000A00 00000000
3FEDB530: 00000000 00000000 00000000 00000000
3FEDB540: 00000000 00000000 00000000 00000000
3FEDB550: 00000000 00000000 00000000 00000000
3FEDB560: 00000000 00000000 00000000 00000000
3FEDB570: 00000000 00000000 00000000 00000000
3FEDB580: 00000000 00000000 00000000 00000000
3FEDB590: 00000000 00000000 00000000 00000000
3FEDB5A0: 00000000 00000000 00000000 00000000
3FEDB5B0: 00000000 00000000 00000000 00000000
3FEDB5C0: 00000000 00000000 00000000 00000000
3FEDB5D0: 00000000 00000000 00000000 00000000
3FEDB5E0: 00000000 00000000 00000000 00000000
3FEDB5F0: 00000000 00000000 00000000 00000000
3FEDB600: 00000000 00000000 00000000 00000000
3FEDB610: 00000000 00000000 00000000 00000000
3FEDB620: 00000000 00000000 00000000 00000000
3FEDB630: 00000000 00000000 00000000 00000000
3FEDB640: 00000000 00000000 00000000 00000000
3FEDB650: 00000000 00000000 00000000 00000000
3FEDB660: 00000000 00000000 00000000 00000000
3FEDB670: 00000000 00000000 00000000 00000000
3FEDB680: 00000000 00000000 00000000 00000000
3FEDB690: 00000000 00000000 00000000 00000000
3FEDB6A0: 00000000 00000000 00000000 00000000
3FEDB6B0: 00000000 00000000 00000000 00000000
3FEDB6C0: 00000000 00000000 00000000 00000000
3FEDB6D0: 00000000 00000000 00000000 00000000
3FEDB6E0: 00000000 00000000 00000000 00000000
3FEDB6F0: 00000000 00000000 00000000 00000000


FreeBytes address:       logical = 0x3FAD8000
WorkArea_target address: logical = 0x00440000
SystemInfo addresses:    logical = 0x3FEE5000, physical = 0x3FEE5000
ProcessorInfo addresses: logical = 0x3FEE6000, physical = 0x3FEE6000

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #5 on: October 04, 2018, 08:23:46 PM »
Code: [Select]
HWInfo addresses:        logical = 0x3FEE4000, physical = 0x3FEE4000
HwInitInfo addresses:    logical = 0x3FEE7000, physical = 0x3FEE7000
NanoKernelEntry addresses: 0x00F10000

System info:
Dumping 320 bytes @ 0x3FEE5000
3FEE5000: 00000000 00000000 00000000 00000000
3FEE5010: 00000000 00000000 00000000 00000000
3FEE5020: 00000000 00000000 00000000 00000000
3FEE5030: 00000000 00C00000 00E58000 000A7000
3FEE5040: 01000000 FF000000 00000000 00000000
3FEE5050: 00000000 00000000 00000000 00000000
3FEE5060: 00000000 00000000 00000000 00000000
3FEE5070: 00000000 00000000 00000000 00000000
3FEE5080: 00000000 00000000 00000000 00000000
3FEE5090: 00000000 00000000 00000000 00000000
3FEE50A0: 00000000 00000000 00000000 00000000
3FEE50B0: 00000000 00000000 00000000 00000000
3FEE50C0: 00000000 00000000 00000000 00000000
3FEE50D0: 00000000 00000000 00000000 00000000
3FEE50E0: 00000000 00000000 00000000 00000000
3FEE50F0: 00000000 00000000 00000000 00000000
3FEE5100: 80040000 00000000 00000000 00000000
3FEE5110: 00000000 00000000 00000000 00000000
3FEE5120: 00000000 00000000 00000035 D0000000
3FEE5130: 00000000 00000000 00000000 00000000

Processor info:
Dumping 160 bytes @ 0x3FEE6000
3FEE6000: 003C0301 35A4E900 05F5E100 05F5E100
3FEE6010: 00001000 00008000 00010000 00800020
3FEE6020: 00000080 00800080 00800080 00040002
3FEE6030: 10000010 00000000 00000000 00000000
3FEE6040: 00000000 00000000 00000000 00000000
3FEE6050: 00000000 00000000 00000000 00000000
3FEE6060: 00000000 00000000 00000000 00000000
3FEE6070: 00000000 00000000 00000000 00000000
3FEE6080: 00000000 00000000 00000000 00000000
3FEE6090: 00000000 00000000 00000000 00000000

Hardware info:
Dumping 192 bytes @ 0x3FEE4000
3FEE4000: 00C00000 6400000C 640480A4 00003000
3FEE4010: 3FEDD000 3FEDF000 80040000 00000000
3FEE4020: 00000000 00000000 00000000 00000000
3FEE4030: 00000000 00000000 00000000 00001400
3FEE4040: 00000000 00000000 00000000 00000000
3FEE4050: 00000000 00000000 00000000 00000000
3FEE4060: 00000000 00000000 00000000 00000000
3FEE4070: 486E666F 00403035 00250024 08000800
3FEE4080: 00190000 08000800 00400000 00000000
3FEE4090: 00000000 00000004 00000000 00410000
3FEE40A0: 1A05D66A 00000000 3FEDE000 00000000
3FEE40B0: 00000000 00000000 00000000 00000000

HardwareInit info:
Dumping 32 bytes @ 0x3FEE7000
3FEE7000: 3FEE5000 3FEE6000 00000000 3FEE4000
3FEE7010: 00000000 00000080 00F10000 80012000

Cascade Info:
Dumping 516 bytes @ 0x00117818
00117818: 00000000 FFFFFFFF FFFFFFFF FFFFFFFF
00117828: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
00117838: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
00117848: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
00117858: FFFFFFFF 01040404 04040402 04020402
00117868: 02000000 00000000 00000000 00000000
00117878: 00000000 00000000 00000000 00000000
00117888: 00000000 00000000 00000000 00000000
00117898: 00000000 00000000 00000000 00000000
001178A8: 00000000 00000000 00000000 00000000
001178B8: 00000000 00000000 00000000 00000000
001178C8: 00000000 00000000 00000000 00000000
001178D8: 00000000 00000000 00000000 00000000
001178E8: 00000000 00000000 00000000 00000000
001178F8: 00000000 00000000 00000000 00000000
00117908: 00000000 00000000 00000000 00000000
00117918: 00000000 00000000 00000000 00000000
00117928: 00000000 00000000 00000000 00000000
00117938: 00000000 00000000 00000000 00000000
00117948: 00000000 00000000 00000000 00000000
00117958: 00000000 00000000 00000000 00000000
00117968: 00000000 00000000 00000000 00000000
00117978: 00000000 00000000 00000000 00000000
00117988: 00000000 00000000 00000000 00000000
00117998: 00000000 00000000 00000000 00000000
001179A8: 00000000 00000000 00000000 00000000
001179B8: 00000000 00000000 00000000 00000000
001179C8: 00000000 00000000 00000000 00000000
001179D8: 00000000 00000000 00000000 00000000
001179E8: 00000000 00000000 00000000 00000000
001179F8: 00000000 00000000 00000000 00000000
00117A08: 00000000 00000000 00000000 00000000
00117A18: 00000000

IsKeyDown: no keys held down
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003000, dstLength = 0x0000052C, entry->dst = 0x00000000, entry->dst_len = 0x000482B8.
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003F80, dstLength = 0x00000080, entry->dst = 0x00000000, entry->dst_len = 0x000482B8.
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003F40, dstLength = 0x00000040, entry->dst = 0x00000000, entry->dst_len = 0x000482B8.
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003CFC, dstLength = 0x00000204, entry->dst = 0x00000000, entry->dst_len = 0x000482B8.
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003F00, dstLength = 0x00000040, entry->dst = 0x00000000, entry->dst_len = 0x000482B8.
Updated BusClockRateHz: 399957011
Stopping at end of FCODE, due to fatal error (see above).
EXIT
0 >

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #6 on: October 05, 2018, 08:11:02 AM »
Seems to stop after Updated BusClockRateHz: 399957011.

Could this be an issue with not able to understand a 400Mhz bus speed?

Otherwise, it's not giving us anymore info in AddMemoryRelocationEntry.

I did try fcode-debug? true and true to ?fcode-verbose, however when loading a :tbxi it does load and go. So I can't do 1 byte-load to get verbose output to debug the fcode from a :tbxi.


Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #7 on: October 05, 2018, 10:19:07 AM »
Seems we should be seeing:

Code: [Select]
HardwareInit info:
Dumping 32 bytes @ 0x3FEE7000
3FEE7000: 3FEE5000 3FEE6000 00000000 3FEE4000
3FEE7010: 00000000 00000020 00F10000 80012000

Cascade Info:
Dumping 516 bytes @ 0x00117818
00117818: 00000000 FFFFFFFF FFFFFFFF FFFFFFFF
00117828: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
00117838: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
00117848: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
00117858: FFFFFFFF 01040404 04040402 04020402
00117868: 02000000 00000000 00000000 00000000
00117878: 00000000 00000000 00000000 00000000
00117888: 00000000 00000000 00000000 00000000
00117898: 00000000 00000000 00000000 00000000
001178A8: 00000000 00000000 00000000 00000000
001178B8: 00000000 00000000 00000000 00000000
001178C8: 00000000 00000000 00000000 00000000
001178D8: 00000000 00000000 00000000 00000000
001178E8: 00000000 00000000 00000000 00000000
001178F8: 00000000 00000000 00000000 00000000
00117908: 00000000 00000000 00000000 00000000
00117918: 00000000 00000000 00000000 00000000
00117928: 00000000 00000000 00000000 00000000
00117938: 00000000 00000000 00000000 00000000
00117948: 00000000 00000000 00000000 00000000
00117958: 00000000 00000000 00000000 00000000
00117968: 00000000 00000000 00000000 00000000
00117978: 00000000 00000000 00000000 00000000
00117988: 00000000 00000000 00000000 00000000
00117998: 00000000 00000000 00000000 00000000
001179A8: 00000000 00000000 00000000 00000000
001179B8: 00000000 00000000 00000000 00000000
001179C8: 00000000 00000000 00000000 00000000
001179D8: 00000000 00000000 00000000 00000000
001179E8: 00000000 00000000 00000000 00000000
001179F8: 00000000 00000000 00000000 00000000
00117A08: 00000000 00000000 00000000 00000000
00117A18: 00000000

IsKeyDown: no keys held down
Updated BusClockRateHz: 399957011
Off to MacOS.  The next (and last) call into OpenFirmware is quiesce().

Quote
AddMemoryRelocationEntry is used to request that data structures be copied from one location to another when the system boots. It is not supposed to have multiple destinations overlapping, but that somehow happened.

That seems to be the trouble, but I don't really understand it. If we can figure the overlap maybe we can get a little further?[/code]

Offline Daniel

  • Silver Member
  • ****
  • Posts: 196
  • Programmer, Hacker, Thinker
Re: G5 qemu attempts.
« Reply #8 on: October 05, 2018, 01:36:11 PM »
This string seems to suggest the 0x00003xxx overlaps have to do with some struct at 0x68FEF000, at least according to the map from virt 0x68FEF000 to phys 0x3000. It has set up some initial values that it wants copied into that page when it boots. Some big overlapping 288k area starting at phys address 0 is getting in the way. I am not sure what struct 0x68FEF000 is supposed to be, though I know that is neither the KDP (0x68FFE000), the EDP (0x68FFF000), nor the copied device tree (0x64000000).
Code: [Select]
AddPageMapEntry: LA = 0x68FEF000, count = 0x0001, PA = 0x00003000, pageAttr = 0x0013, flags = 0x00.

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #9 on: October 05, 2018, 04:28:24 PM »
This string seems to suggest the 0x00003xxx overlaps have to do with some struct at 0x68FEF000, at least according to the map from virt 0x68FEF000 to phys 0x3000. It has set up some initial values that it wants copied into that page when it boots. Some big overlapping 288k area starting at phys address 0 is getting in the way. I am not sure what struct 0x68FEF000 is supposed to be, though I know that is neither the KDP (0x68FFE000), the EDP (0x68FFF000), nor the copied device tree (0x64000000).
Code: [Select]
AddPageMapEntry: LA = 0x68FEF000, count = 0x0001, PA = 0x00003000, pageAttr = 0x0013, flags = 0x00.

Ok, I understand some of that, is the data being copied from the PA to the VA or vice versa?

Also, I'm not really up on :tbxi resources, but I'm assuming the Mac OS ROM has an FCode wrapper, and it copies a bunch of needed data from the device tree and ?elsewhere? then we're "Off to the Mac OS" ?nano kernel?.

I'm getting almost that far, but some of the last bits of Fcode are failing to copy over data to the correct address.

Can we look at the FCode and see what it's trying to do?

detok it?

If we can separate the wrapper( FCode ), I should be able to load it, rather than load and go, and use ?fcode=verbose to step through it to see where we are getting a ?default-catch?.

Other ideas?

Offline Daniel

  • Silver Member
  • ****
  • Posts: 196
  • Programmer, Hacker, Thinker
Re: G5 qemu attempts.
« Reply #10 on: October 05, 2018, 07:19:24 PM »
The short forth boot script transfers control to a ELF program called the Trampoline. The Trampoline does a whole ton of init, loads the Toolbox ROM into memory, and jumps to the NanoKernel.

The virt address 0x68FEF000 corresponds with the single page at phys address 0x3000 (somewhere in RAM). The failing AddMemoryRelocationEntry() calls were supposed to transfer data from some temporary spot (unknown because logs don't list src) to locations in that page (0x3000-352B is one. 0x3F80-3FFF, 0x3F40-3F7F, 0x3CFC-3EFF, and 0x3F00-3F3F are the others).

Something else is interfering with that by already claiming as a destination 288k of the phys memory starting at address 0. I am not sure what that is, but it is probably not supposed to happen. I am guessing that the "reg" or "assigned-addresses" property of something is being mangled because the Trampoline doesn't handle 64-bit stuff. But really, who knows?

powermax is working on decompiling the Trampoline. It is very much a work in progress. If you want to, ask him to grant access to his private GitLab repo. He might also be able to help patch the Trampoline to debug more on this stuff. I am not sure what the full state of work on the Trampoline is.

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #11 on: October 06, 2018, 03:27:53 PM »
Can we look at the FCode and see what it's trying to do? detok it?

The error message at the end of the Trampoline is a bit misleading: there is no FCode executed there at all. Everything in the Trampoline is native code, either generated from C source or hand-crafted assembly.

Seems to stop after Updated BusClockRateHz: 399957011.

Could this be an issue with not able to understand a 400Mhz bus speed?

No. Trampoline has perfectly measured the clock speed of your bus as 399957011 Hz / 1000000 = 399,96 MHz. ;D

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #12 on: October 06, 2018, 04:39:49 PM »
Code: [Select]
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003000, dstLength = 0x0000052C, entry->dst = 0x00000000, entry->dst_len = 0x000482B8.

This relocation belongs to the ConfigInfo structure.

Code: [Select]
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003F80, dstLength = 0x00000080, entry->dst = 0x00000000, entry->dst_len = 0x000482B8.

This one belongs to the vector lookup table.

Code: [Select]
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003F40, dstLength = 0x00000040, entry->dst = 0x00000000, entry->dst_len = 0x000482B8.

-> vector mask table

Code: [Select]
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003CFC, dstLength = 0x00000204, entry->dst = 0x00000000, entry->dst_len = 0x000482B8.

-> CascadeInfo

Code: [Select]
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003F00, dstLength = 0x00000040, entry->dst = 0x00000000, entry->dst_len = 0x000482B8.

-> vector priority table

All these areas overlap with the already claimed area 0x00000000...0x000482B8. For the moment being, I cannot say for sure what's supposed to be resided there because the error in AddMemoryRelocationEntry() doesn't show us the source.

My guess is that 288KB chunk is used by the flattened device tree stuffed into the "work area" in Trampoline's jargon. According to its size, it can be neither the Toolbox ROM-in-RAM (too small) nor any other structure (too big).

Anyway, the usage of the area @0 (phys) looks suspicious to me. It indicates a serious problem in Trampoline's physical memory sizing. The SystemInfo structure provides a clear evidence:

Code: [Select]
System info:
Dumping 320 bytes @ 0x3FEE5000
3FEE5000: 00000000 00000000 00000000 00000000
3FEE5010: 00000000 00000000 00000000 00000000
3FEE5020: 00000000 00000000 00000000 00000000
3FEE5030: 00000000 00C00000 00E58000 000A7000
3FEE5040: 01000000 FF000000 00000000 00000000
[...]

The first two double words - PhysicalMemorySize and UsableMemorySize - contain zeroes! In other words, the Trampoline wasn't able to find any physical memory in your machine at all. The function responsible for memory size determination is called CalcRAMSize() and is located @ 0x2025F4. It queries the OF memory node for "reg" property and then (mis)interpret its values.

Can you dump the memory/reg of your target?

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #13 on: October 06, 2018, 05:03:48 PM »
The first two double words - PhysicalMemorySize and UsableMemorySize - contain zeroes! In other words, the Trampoline wasn't able to find any physical memory in your machine at all. The function responsible for memory size determination is called CalcRAMSize() and is located @ 0x2025F4. It queries the OF memory node for "reg" property and then (mis)interpret its values.

I must correct myself: CalcRAMSize() should report fatal error and exit if no physical memory was found. But in your precise case, the program keeps running so the problem resides somewhere else. Anyway, the above mentioned dump of the SystemInfo looks invalid and that's the point where to start any further investigation.
« Last Edit: October 07, 2018, 03:36:14 PM by powermax »

Offline ELN

  • Silver Member
  • ****
  • Posts: 233
  • new to the forums
Re: G5 qemu attempts.
« Reply #14 on: October 07, 2018, 01:02:48 AM »
Very interesting thread people! Keep it up!

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #15 on: October 07, 2018, 01:22:41 AM »
Thanks powermax, do I need to dump Sysinfo?

How would I go about that?

qemu-system-ppc64 boots with the same setting only amend -cpu g4 rather than the 970fx. I haven't dug through all the code to see what choosing a 64bit cpu changes. Tho on a side note one can boot OS X with 4GB of ram with the G4 emulation. Not technically 64bit address space, but shows how emulators are not subject to the physical limitations of real hardware.

I forget the reason the G4 couldn't address 4GB, I read it many years ago, something about it could, but the upper 2GB was only available for shadow memory, or some such. Someone went to the time to fix that with qemu.

In the case of the G5, I expect we could "fix" OS 9 booting, given enough time and testing, but we may end up changing some of the G5 CPU emulation in ways that breaks linux booting.

OS X doesn't boot, someone needs to implement spr 304( 0x130 ), and even if it did get  mach_kernel to boot, the emulated Sawtooth and a G5 CPU are not really going to work together. 

 

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #16 on: October 07, 2018, 01:31:04 AM »
Thanks powermax, do I need to dump Sysinfo?

How would I go about that?

Does QEMU allow debugging of the running targets? In other words, can you set breakpoints and trace the Trampoline code in QEMU?

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #17 on: October 07, 2018, 02:41:27 AM »
Thanks powermax, do I need to dump Sysinfo?

How would I go about that?

Does QEMU allow debugging of the running targets? In other words, can you set breakpoints and trace the Trampoline code in QEMU?

Yes, I'm pretty sure it can do that, I'll have to check the breakpoints, I don't recall right off, but I'm thinking yes.

I'm on the road right now, later this week, I'll setup the needed PPC debuging Env for Qemu, if you walk me through how to use it.

Also fun for anyone else that wants to play along. ;D

Offline Naiw

  • Consistant Contributor
  • ***
  • Posts: 101
  • new to the forums
Re: G5 qemu attempts.
« Reply #18 on: October 07, 2018, 10:22:39 PM »
Thanks powermax, do I need to dump Sysinfo?

How would I go about that?

qemu-system-ppc64 boots with the same setting only amend -cpu g4 rather than the 970fx. I haven't dug through all the code to see what choosing a 64bit cpu changes. Tho on a side note one can boot OS X with 4GB of ram with the G4 emulation. Not technically 64bit address space, but shows how emulators are not subject to the physical limitations of real hardware.

I forget the reason the G4 couldn't address 4GB, I read it many years ago, something about it could, but the upper 2GB was only available for shadow memory, or some such. Someone went to the time to fix that with qemu.

In the case of the G5, I expect we could "fix" OS 9 booting, given enough time and testing, but we may end up changing some of the G5 CPU emulation in ways that breaks linux booting.

OS X doesn't boot, someone needs to implement spr 304( 0x130 ), and even if it did get  mach_kernel to boot, the emulated Sawtooth and a G5 CPU are not really going to work together. 

 

OS X works just fine with KVM on a G5, but we've already had this discussion already.

Plenty of people have/had it running, I used to run it too both with QEMU and MOL.

This is just one example of someone that have it working.
https://youtu.be/lbDj4NGEJEQ

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #19 on: October 08, 2018, 07:41:32 AM »
Thanks powermax, do I need to dump Sysinfo?

How would I go about that?

qemu-system-ppc64 boots with the same setting only amend -cpu g4 rather than the 970fx. I haven't dug through all the code to see what choosing a 64bit cpu changes. Tho on a side note one can boot OS X with 4GB of ram with the G4 emulation. Not technically 64bit address space, but shows how emulators are not subject to the physical limitations of real hardware.

I forget the reason the G4 couldn't address 4GB, I read it many years ago, something about it could, but the upper 2GB was only available for shadow memory, or some such. Someone went to the time to fix that with qemu.

In the case of the G5, I expect we could "fix" OS 9 booting, given enough time and testing, but we may end up changing some of the G5 CPU emulation in ways that breaks linux booting.

OS X doesn't boot, someone needs to implement spr 304( 0x130 ), and even if it did get  mach_kernel to boot, the emulated Sawtooth and a G5 CPU are not really going to work together. 

 

OS X works just fine with KVM on a G5, but we've already had this discussion already.

Plenty of people have/had it running, I used to run it too both with QEMU and MOL.

This is just one example of someone that have it working.
https://youtu.be/lbDj4NGEJEQ

Qemu works with the G5 hosts with KVM, but only when passing a 32bit PPC CPU to the guest machine, and it won't boot OS 9. OS9 booting also doesn't work with KVM on 32bit PPC hosts.


Offline ELN

  • Silver Member
  • ****
  • Posts: 233
  • new to the forums
Re: G5 qemu attempts.
« Reply #20 on: October 08, 2018, 09:24:20 PM »
Are we reasonably confident that the G5 is in 32-bit mode when the Trampoline gets control? I’m trying to imagine what would happen if you ran code intended for 32-bit PPC under 64-bit mode, and I can imagine it working.

Also, Max, have you yet reversed the stuff that interprets “Reg” properties?

Offline Naiw

  • Consistant Contributor
  • ***
  • Posts: 101
  • new to the forums
Re: G5 qemu attempts.
« Reply #21 on: October 09, 2018, 01:35:55 AM »
KVM does not emulate the CPU at all at OSE/VSE level.

It can fake the PVR bits but that doesn't affect the emulation. (At UISA level the KVM-PR module can do some instruction emulation, but it doesn't attempt anything else as far as I know) KVM on the x86 works the same.


Offline Naiw

  • Consistant Contributor
  • ***
  • Posts: 101
  • new to the forums
Re: G5 qemu attempts.
« Reply #22 on: October 09, 2018, 01:54:04 AM »
To clarify if you say -cpu 604 to qemu when using kvm that does not mean you will run as a 604, if you have a G5 a G5 is what the guest OS will get. It will however lie cause it traps the PVR bits and will return 604.

Kvm is fast because it does NOT emulate but rather passthrough the hardware as is, the very same reason QEmu without kvm is quite slow as it has to emulate things like address translation that occurs virtually all the time.

There is no way around that, an MMU on an arbitrary CPU can't be reconfigured to behave like an MMU on a totally different processor so either you passthrough and accept that or you emulate and have absolutely no benefit from KVM.

The PPC kvm is a bit different though as they have kvm-hv (pure hypervisor/passthrough as all other kvm Arch's) and kvm-pr (problem mode) kvm-pr runs code in problem mode and traps instructions it can't understand this is sort of a middle ground (this is very much what MacOnLinux used to do) however as I said it does not and can not emulate the memory management.

And back to the (non) issue about OS X on the G5,
OS X gives rat about the platform a particular CPU is on, it have absolutely no problem running a G5 with a mac99 motherboard. It's handled by different parts of the system, the platform expert just loads the drivers based on what the device tree says- if there is any CPU expectation within any of these drivers they're faulty/incorrectly written.

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #23 on: October 09, 2018, 02:03:00 AM »
Also, Max, have you yet reversed the stuff that interprets “Reg” properties?

Yes. As for memory regions, the stuff is located in utils.c:CalcRAMSize().

Device tree walking code also interprets "reg" properties attached to various devices in order to calculate device's base address. That stuff is much more complex. It has been reversed as well but still need a cleanup.

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #24 on: October 09, 2018, 02:28:00 AM »
And back to the (non) issue about OS X on the G5,

Let's get back on track. OS 9 Trampoline doesn't depend on a particular CPU until we'll get into RelocationEngine that reprograms BATs. But that's the last step before the Nanokernel, just after OF has been shut down.
For the moment being, we didn't get so far due to the fatal error caused by overlapping relocation regions.

The Trampoline code depends on OF and MMU. Regarding the former, OpenBIOS is not the same as Apple's proprietary OF implementation - it can behave differently and thus cause the Trampoline to fail.

It can also be an issue with 64-bit MMU. That's what we need to figure out by means of debugging.

In the case of the G5, I expect we could "fix" OS 9 booting, given enough time and testing, but we may end up changing some of the G5 CPU emulation in ways that breaks linux booting.

You're right regarding our ability to fix OS 9 boot on G5. But we aren't going to break the existing QEMU emulation, we'll fix the Trampoline instead. That's why I'm working hard on finishing its decompilation.
« Last Edit: October 09, 2018, 03:02:10 AM by powermax »

Offline Naiw

  • Consistant Contributor
  • ***
  • Posts: 101
  • new to the forums
Re: G5 qemu attempts.
« Reply #25 on: October 09, 2018, 11:07:39 AM »
And back to the (non) issue about OS X on the G5,

Let's get back on track. OS 9 Trampoline doesn't depend on a particular CPU until we'll get into RelocationEngine that reprograms BATs. But that's the last step before the Nanokernel, just after OF has been shut down.
For the moment being, we didn't get so far due to the fatal error caused by overlapping relocation regions.

The Trampoline code depends on OF and MMU. Regarding the former, OpenBIOS is not the same as Apple's proprietary OF implementation - it can behave differently and thus cause the Trampoline to fail.

It can also be an issue with 64-bit MMU. That's what we need to figure out by means of debugging.


Absolutely, but this been discussed before and the attempt is quite futile since the 970 don't have any BATs.

The fact that the 970 can run OS 9 (ie. UISA compatibility, excluding eventual driver issues etc) is already demonstrated by the Blue box/Classic.

And yes you are right that openbios is different, but it should also be noted that the compatibility problem has been fixed enough to at least boot OS 9 with a 32 bit PPC. If the 64 bit and 32 bit use the same openbios images I don't recall however.


Offline ELN

  • Silver Member
  • ****
  • Posts: 233
  • new to the forums
Re: G5 qemu attempts.
« Reply #26 on: October 09, 2018, 06:00:31 PM »
I believe that the 970 actually does have BATs. They are absent from the 970FX and 970MP.

But we could patch the kernel, or soon the Trampoline, not to use them.

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #27 on: October 09, 2018, 08:34:37 PM »
I setup gdb-multiarch, I think it will work for what we need here, but I'm unsure what breakpoint to set?

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #28 on: October 10, 2018, 12:51:58 AM »
I setup gdb-multiarch, I think it will work for what we need here, but I'm unsure what breakpoint to set?

I need to know your Trampoline version first. Can you tell me its MD5 checksum? Or upload your "Mac OS ROM" somewhere for me to grab?

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #29 on: October 10, 2018, 05:28:04 PM »


Mac OS ROM 9.2.1, unmodified.

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #30 on: October 11, 2018, 03:42:13 AM »
Mac OS ROM 9.2.1, unmodified.

I don't have this image, sorry. Fortunately, there is no big difference between Trampolines in OS 9.2.x.

IIRC, Trampoline is loaded by the Forth boot script and mapped into memory starting at 0x100000 (data sections) and 0x200000 (executable code). I hope that's correct.

You want to set a breakpoint at the subroutine @ 0x2025F4 (CalcRAMSize) and ensure that it works as expected: the first double word of SystemInfo (PPC register @r3 will point to it at exit of this function) should contain the correct size of the assigned memory (1024 MB).

I'm pretty sure that CalcRAMSize works as expected. It's meant to be a test ensuring that you can break into the Trampoline and trace its code.

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #31 on: October 11, 2018, 04:11:37 AM »
Mac OS ROM 9.2.1, unmodified.

I don't have this image, sorry. Fortunately, there is no big difference between Trampolines in OS 9.2.x.

IIRC, Trampoline is loaded by the Forth boot script and mapped into memory starting at 0x100000 (data sections) and 0x200000 (executable code). I hope that's correct.

You want to set a breakpoint at the subroutine @ 0x2025F4 (CalcRAMSize) and ensure that it works as expected: the first double word of SystemInfo (PPC register @r3 will point to it at exit of this function) should contain the correct size of the assigned memory (1024 MB).

I'm pretty sure that CalcRAMSize works as expected. It's meant to be a test ensuring that you can break into the Trampoline and trace its code.

Ok, breakpoint not working with gdb-multiarch:

(gdb)target remote localhost:1234
(gdb)break CalcRAMSize
(gdb)continue

It just boots the Mac OS and only waits before continue.

I'm sure I'm doing something wrong here, maybe I need some PPC Libs installed, my host is X86.

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #32 on: October 11, 2018, 05:41:24 AM »
Ok, breakpoint not working with gdb-multiarch:

(gdb)target remote localhost:1234
(gdb)break CalcRAMSize

Ugh, you need to break at memory addresses, not symbol names because the bundled Trampoline doesn't contain symbols!

Code: [Select]
(gdb)break *0x2025F4
is what you need but that will only work as soon as Trampoline code has been loaded into memory.

In order to break first time into the Trampoline, you'll need to set up a hardware breakpoint. If it works in your host, you're luck. If it doesn't work, you'll need to resort to another bag of tricks, for example, intercept the boot script or setting breakpoints at the OF client interface handler and then manually trace into the Trampoline code.

All this isn't fun at all but you've already agreed to get your hands dirty, so please go on ;)
« Last Edit: October 11, 2018, 03:49:18 PM by powermax »

Offline ELN

  • Silver Member
  • ****
  • Posts: 233
  • new to the forums
Re: G5 qemu attempts.
« Reply #33 on: October 11, 2018, 06:10:50 AM »
Patchpef (https://github.com/elliotnunn/patchpef) is a script that I hacked together to make small assembly-language patches to PEF files. Not at all pretty, but it was a big help in patching OS 9 to run on the Mac mini. It could pretty easily be adapted to insert arbitrary printfs into the Trampoline, as an alternative to debugger breakpoints.

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #34 on: October 11, 2018, 06:31:01 AM »
Patchpef (https://github.com/elliotnunn/patchpef) is a script that I hacked together to make small assembly-language patches to PEF files.

Trampoline comes as ELF binary so we'd need to teach your script how to understand ELF first.

Patching existing binaries to inject debugging code can be very cumbersome and slow. Instrumented emulators are generally much better because they allow tracing code and analyzing its behavior much quicker than statical analysis tools (disassemblers). Armed with the right tool, spotting the issue in the binary code is often a question of few minutes...

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #35 on: October 11, 2018, 11:09:36 AM »
Ok, here is what I have so far:


Qemu-PPC
Code: [Select]
qqemu-system-ppc64 -s -S -M mac99 -m 1024 -cpu ppc64 -hda ~/os9/os9.img -prom-env "aapl,debug=13FFF" -prom-env "fcode-debug?=true" -prom-env "auto-boot?=false" --nographic

>> =============================================================
>> OpenBIOS 1.1 [Feb 22 2018 07:53]
>> Configuration device id QEMU version 1 machine id 3
>> CPUs: 1
>> Memory: 1024M
>> UUID: 00000000-0000-0000-0000-000000000000
>> CPU type PowerPC,970FX
milliseconds isn't unique.
Welcome to OpenBIOS v1.1 built on Feb 22 2018 07:53

0 > boot Trying hd:,\\:tbxi...
>> switching to new context:
AAPL,debug bit settings (-OR- bits together):
       1 * = Print general informative messages.
       2 * = Print formatted Mac OS tables (except config/universal info).
       4 * = Print formatted config info table.
       8 * = Dump Mac OS tables (except config/universal info).
      10 * = Print node names while copying the device tree.
      20 * = Print property info while copying the device tree.
      40 * = Print interrupt-related info.
      80 * = Print interrupt tree traversal info.
     100 * = Print address resolution info.
     200 * = Print NV-RAM info.
     400 * = Print Mac OS "universal" info.
     800 * = Print "special" node info.
    1000 * = Load EtherPrintf utility via parcel for post FCode debugging.
    2000 * = Print BOOTP/DHCP/BSDP information.
    4000   = Allocate writable ROM aperture.
    8000   = Mark Toolbox image as non-cacheable.
   10000 * = Print parcel info while copying the device tree.
   20000   = Print information on device tree data checksums.
 1000000   = Enable the Nanokernel debugger.
 2000000   = Display the Nanokernel log during boot.
10000000   = Dont attempt to unhibernate system.
40000000   = Halt after end of FCode (useful if outputting to screen).

MacOS: RTAS not found.
work area logical address = 0x3FAD8000, physical address = 0x3FAD8000.
IsKeyDown: no keys held down


gdb-multiarch

Code: [Select]
gdb-multiarch
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".

warning: scripts/qemu-gdb.py: No such file or directory
(gdb) target remote localhost:1234
Remote debugging using localhost:1234
warning: No executable has been specified and target does not support
determining executable automatically.  Try using the "file" command.
0x0001f0ff00000000 in ?? ()
(gdb) break *0x2025f4
Breakpoint 1 at 0x2025f4
(gdb) continue
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
0xf425200000000000 in ?? ()
(gdb)


Am I getting the proper breakpoint for our test?
« Last Edit: October 11, 2018, 11:51:04 AM by darthnVader »

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #36 on: October 11, 2018, 01:45:21 PM »
Code: [Select]
Program received signal SIGTRAP, Trace/breakpoint trap.
0xf425200000000000 in ?? ()
(gdb)

Am I getting the proper breakpoint for our test?

What does
Code: [Select]
(gdb)disas $pc say when you hit the breakpoint?

Does the following command sequence work?

Code: [Select]
(gdb)display/i $pc
(gdb)stepi

You should be able to execute instruction by instruction and see the PPC Asm of the instruction to be executed next.

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #37 on: October 12, 2018, 03:52:09 AM »
That didn't work, gdb-multiarch must be the wrong debugger, I'll see if I can figure how to setup PPC gdb.

Code: [Select]
gdb-multiarch
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".

warning: scripts/qemu-gdb.py: No such file or directory
(gdb) target remote localhost:1234
Remote debugging using localhost:1234
warning: No executable has been specified and target does not support
determining executable automatically.  Try using the "file" command.
0x0001f0ff00000000 in ?? ()
(gdb) break *0x2025f4
Breakpoint 1 at 0x2025f4
(gdb) continue
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
0xf425200000000000 in ?? ()
(gdb) disas $pc
No function contains specified address.
(gdb) disas $pc
No function contains specified address.
(gdb) display/i $pc
1: x/i $pc
=> 0xf425200000000000:
    <error: Cannot access memory at address 0xf425200000000000>
(gdb) stepi

Program stopped.
0xf425200000000000 in ?? ()
1: x/i $pc
=> 0xf425200000000000:
    <error: Cannot access memory at address 0xf425200000000000>
Cannot access memory at address 0xf425200000000000
(gdb)

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #38 on: October 12, 2018, 04:46:19 AM »
I built powerpc-linux-gdb, but I'm unsure I built it correct?

Code: [Select]
(gdb) disas $pc
No function contains specified address.
(gdb) display/i $pc
1: x/i $pc
=> 0x2025f8: stmw    r28,-16(r1)
(gdb) stepi
0x00000000002025fc in ?? ()
1: x/i $pc
=> 0x2025fc: stw     r0,8(r1)
(gdb)

It looks like maybe it's returning ppc assembly, Am I getting warmer?

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #39 on: October 12, 2018, 05:01:35 AM »
That didn't work, gdb-multiarch must be the wrong debugger, I'll see if I can figure how to setup PPC gdb.

Did you try to invoke qemu-system-ppc64 with the "-g" option? Quoting https://reverseengineering.stackexchange.com/questions/8829/cross-debugging-for-arm-mips-elf-with-qemu-toolchain

Quote
In order to debug the binary with GDB, you need to launch qemu-mips so that it exposes a GDB stub, and connect from GDB.

Here another similar post: http://tinkering-is-fun.blogspot.com/2009/12/debugging-non-native-programs-with-qemu.html

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #40 on: October 12, 2018, 05:47:07 AM »
That didn't work, gdb-multiarch must be the wrong debugger, I'll see if I can figure how to setup PPC gdb.

Did you try to invoke qemu-system-ppc64 with the "-g" option? Quoting https://reverseengineering.stackexchange.com/questions/8829/cross-debugging-for-arm-mips-elf-with-qemu-toolchain

Quote
In order to debug the binary with GDB, you need to launch qemu-mips so that it exposes a GDB stub, and connect from GDB.

Here another similar post: http://tinkering-is-fun.blogspot.com/2009/12/debugging-non-native-programs-with-qemu.html

The -g argument is reserved for the graphics mode on the mac99 machine in qemu-system-ppc.

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #41 on: October 12, 2018, 07:04:40 AM »
I don't know if I'm doing this correct, if if I have the debugger setup correct, however:

It seem the closest point in the trampoline I can find a breakpoint for, before we get to the  memory overlap is a breakpoint 0x20dccc

Code: [Select]
Breakpoint 2, 0x000000000020dccc in ?? ()
(gdb) display/i $pc
1: x/i $pc
=> 0x20dccc: stwu    r1,-80(r1)
(gdb) stepi
0x000000000020dcd0 in ?? ()
1: x/i $pc
=> 0x20dcd0: stw     r6,116(r1)
(gdb)
0x000000000020dcd4 in ?? ()
1: x/i $pc
=> 0x20dcd4: stw     r7,120(r1)
(gdb)
0x000000000020dcd8 in ?? ()
1: x/i $pc
=> 0x20dcd8: stw     r8,124(r1)
(gdb)
0x000000000020dcdc in ?? ()
1: x/i $pc
=> 0x20dcdc: stw     r9,128(r1)
(gdb)
0x000000000020dce0 in ?? ()
1: x/i $pc
=> 0x20dce0: stw     r10,132(r1)
(gdb)
0x000000000020dce4 in ?? ()
1: x/i $pc
=> 0x20dce4: lwz     r30,-12(r2)
(gdb)
0x000000000020dce8 in ?? ()
1: x/i $pc
=> 0x20dce8: mr      r29,r5
(gdb)
0x000000000020dcec in ?? ()
1: x/i $pc
=> 0x20dcec: addi    r6,r2,26808
(gdb)
0x000000000020dcf0 in ?? ()
1: x/i $pc
=> 0x20dcf0: addi    r8,r29,2
(gdb)
0x000000000020dcf4 in ?? ()
1: x/i $pc
=> 0x20dcf4: stw     r6,0(r30)
(gdb)
0x000000000020dcf8 in ?? ()
1: x/i $pc
=> 0x20dcf8: cmpwi   r29,0
(gdb)
0x000000000020dcfc in ?? ()
1: x/i $pc
=> 0x20dcfc: stw     r8,4(r30)
(gdb)
0x000000000020dd00 in ?? ()
1: x/i $pc
=> 0x20dd00: addi    r31,r1,120
(gdb)
0x000000000020dd04 in ?? ()
1: x/i $pc
=> 0x20dd04: lwz     r9,116(r1)
(gdb)
0x000000000020dd08 in ?? ()
1: x/i $pc
=> 0x20dd08: addi    r7,r30,20
(gdb)
0x000000000020dd0c in ?? ()
1: x/i $pc
=> 0x20dd0c: addi    r9,r9,1
(gdb)
0x000000000020dd10 in ?? ()
1: x/i $pc
=> 0x20dd10: stw     r9,8(r30)
(gdb)
0x000000000020dd14 in ?? ()
1: x/i $pc
=> 0x20dd14: stw     r3,12(r30)
(gdb)
0x000000000020dd18 in ?? ()
1: x/i $pc
=> 0x20dd18: stw     r4,16(r30)
(gdb)
0x000000000020dd1c in ?? ()
1: x/i $pc

That maybe just gibberish, I don't know PPC assembly and I've only used gdb a few times to step though some C code, and never tried to debug a running target in Qemu.

Let me know if I'm barking up the wrong tree here?

The trampoline seem to hit that address a few times, so it breaks @ 0x20dccc a few times before it gets to this point:

 
Code: [Select]
Hardware info:
Dumping 192 bytes @ 0x3FEE4000
3FEE4000: 00C00000 6400000C 64048084 00003000
3FEE4010: 3FEDD000 3FEDF000 80040000 00000000
3FEE4020: 00000000 00000000 00000000 00000000
3FEE4030: 00000000 00000000 00000000 00001400
3FEE4040: 00000000 00000000 00000000 00000000
3FEE4050: 00000000 00000000 00000000 00000000
3FEE4060: 00000000 00000000 00000000 00000000
3FEE4070: 486E666F 00403035 00250024 08000800
3FEE4080: 00190000 08000800 00400000 00000000
3FEE4090: 00000000 00000004 00000000 00410000
3FEE40A0: 1A05D66A 00000000 3FEDE000 00000000
3FEE40B0: 00000000 00000000 00000000 00000000

HardwareInit info:
Dumping 32 bytes @ 0x3FEE7000
3FEE7000: 3FEE5000 3FEE6000 00000000 3FEE4000
3FEE7010: 00000000 00000080 00F10000 80012000

Cascade Info:
Dumping 516 bytes @ 0x00117818
00117818: 00000000 FFFFFFFF FFFFFFFF FFFFFFFF
00117828: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
00117838: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
00117848: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
00117858: FFFFFFFF 01040404 04040402 04020402
00117868: 02000000 00000000 00000000 00000000
00117878: 00000000 00000000 00000000 00000000
00117888: 00000000 00000000 00000000 00000000
00117898: 00000000 00000000 00000000 00000000
001178A8: 00000000 00000000 00000000 00000000
001178B8: 00000000 00000000 00000000 00000000
001178C8: 00000000 00000000 00000000 00000000
001178D8: 00000000 00000000 00000000 00000000
001178E8: 00000000 00000000 00000000 00000000
001178F8: 00000000 00000000 00000000 00000000
00117908: 00000000 00000000 00000000 00000000
00117918: 00000000 00000000 00000000 00000000
00117928: 00000000 00000000 00000000 00000000
00117938: 00000000 00000000 00000000 00000000
00117948: 00000000 00000000 00000000 00000000
00117958: 00000000 00000000 00000000 00000000
00117968: 00000000 00000000 00000000 00000000
00117978: 00000000 00000000 00000000 00000000
00117988: 00000000 00000000 00000000 00000000
00117998: 00000000 00000000 00000000 00000000
001179A8: 00000000 00000000 00000000 00000000
001179B8: 00000000 00000000 00000000 00000000
001179C8: 00000000 00000000 00000000 00000000
001179D8: 00000000 00000000 00000000 00000000
001179E8: 00000000 00000000 00000000 00000000
001179F8: 00000000 00000000 00000000 00000000
00117A08: 00000000 00000000 00000000 00000000
00117A18: 00000000

The next continue gives:

Code: [Select]
IsKeyDown: no keys held down
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003000, dstLength = 0x0000052C, entry->dst = 0x00000000, entry->dst_len = 0x00048298.
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003F80, dstLength = 0x00000080, entry->dst = 0x00000000, entry->dst_len = 0x00048298.
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003F40, dstLength = 0x00000040, entry->dst = 0x00000000, entry->dst_len = 0x00048298.
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003CFC, dstLength = 0x00000204, entry->dst = 0x00000000, entry->dst_len = 0x00048298.
Overlap in AddMemoryRelocationEntry().
    - dst = 0x00003F00, dstLength = 0x00000040, entry->dst = 0x00000000, entry->dst_len = 0x00048298.



Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #42 on: October 12, 2018, 07:42:32 AM »
I don't know if I'm doing this correct, if if I have the debugger setup correct [snip]

Congrats! It looks like you got the QEMU+GDB toolchain set up correctly. Memory addresses are big-endian now (0x000000000020dccc instead of x86's 0x20dccc0000000000) and stepping works as well.

Would you mind posting a step-by-step instructions on how to setup that toolchain? Just for the case if someone want to step in and help us out...

It seem the closest point in the trampoline I can find a breakpoint for, before we get to the  memory overlap is a breakpoint 0x20dccc

I don't understand that. What command was used to set that breakpoint? Any other address doesn't work?

That maybe just gibberish, I don't know PPC assembly and I've only used gdb a few times to step though some C code, and never tried to debug a running target in Qemu.

The code looks right. 0x20dccc belongs to CallMethod() function inside the Trampoline. The function itself starts @0x20dcc0.

To be done next:

  • run a disassembler on the target code and obtain a good disassembly listing
  • PM me your GitLab account name. If you don't own any GitLab account, set up one first at gitlab.org. I'll grant you an access to my C source code for the Trampoline
  • obtain docs on the OF client interface (google for 1275-1994.pdf)

Then having the assembly listing on the left hand side and the C code on the right hand side, you'd trace the target code and compare its behavior with the expected one. This will be a lot of fun and you'll learn the PPC assembly very quickly ;D
« Last Edit: October 12, 2018, 06:13:56 PM by powermax »

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #43 on: October 12, 2018, 11:45:07 AM »
To build gdb-powerpc-linux on Linux, you'll need normal build tools such as gcc installed, I'll assume people know how to install that stuff with apt or their other package manager. Anything you don't have you need installed to build, it will likely let you know when you try to configure.

Download the GDB source code, I had trouble with the latest release, so likely people will want to use v7.9.

http://ftp.gnu.org/gnu/gdb/gdb-7.9.tar.gz

Unpack it and cd into the dir, then just:

Code: [Select]
./configure -target=powerpc-linux --enable-sim-powerpc
make && sudo make install

After that, all you need to do is launch qemu-system-ppc(64) with -s and -S, it will pause and listen on port 1234 for GDB.

Then in another terminal launch gdb:

Code: [Select]
gdb-powerpc-linux
target remote localhost:1234
continue

You'll likely want to set prom-env "auto-boot?=false" --nographic for Qemu.

Set your breakpoint in GDB, I.E.

Code: [Select]
break *0x20dccc

Then type boot in the Qemu terminal.

.



Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #44 on: October 13, 2018, 01:04:01 AM »
I don't know if I'm doing this correct, if if I have the debugger setup correct [snip]

Congrats! It looks like you got the QEMU+GDB toolchain set up correctly. Memory addresses are big-endian now (0x000000000020dccc instead of x86's 0x20dccc0000000000) and stepping works as well.

Would you mind posting a step-by-step instructions on how to setup that toolchain? Just for the case if someone want to step in and help us out...

It seem the closest point in the trampoline I can find a breakpoint for, before we get to the  memory overlap is a breakpoint 0x20dccc

I don't understand that. What command was used to set that breakpoint? Any other address doesn't work?



I was just trying to find a breakpoint nearest to the code that is causing the memory overlap. CallMethod() seems to be executed a few times, once just before we get our overlap, so hopefully that will help us find the exact code that needs work.

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #45 on: October 13, 2018, 02:54:15 AM »
I was just trying to find a breakpoint nearest to the code that is causing the memory overlap. CallMethod() seems to be executed a few times, once just before we get our overlap, so hopefully that will help us find the exact code that needs work.

I see. The problem is that CallMethod() is completely unrelated to our issue. You need to track calls to AddMemoryRelocationEntry() located @0x201DB4. This function has the following prototype:

Code: [Select]
int AddMemoryRelocationEntry(uint32_t src, uint32_t srcLength, uint32_t dst,
                             uint32_t dstLength, uint32_t flags);

The PowerPC ABI prescribes that the first 7 parameters will be always passed in registers starting with R3, i.e. R3 = src, R4 = srcLength, R5 = dst, R6 = dstLength, R7 = flags. Return values will be placed in R3. For further details, see reloc.c, line 75 in my code.

The destination address "dst" will be set to NULL somewhere causing AddMemoryRelocationEntry to reserve a big block of memory @0x00000000. That's wrong and the task is to determine why that actually happens.

I suppose that the faulty call to AddMemoryRelocationEntry is located in main at 0x2059f4. "dst"(R5) will probably contain NULL. This address is also calculated there based on the value in NKSystemInfo.PhysicalMemorySize that should contain zero in your precise case.

The task is also to verify if the above mentioned conditions hold true and when they do, try to find out which code sets NKSystemInfo.PhysicalMemorySize to zero.
« Last Edit: October 13, 2018, 05:33:23 AM by powermax »

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #46 on: October 13, 2018, 04:34:55 AM »
I was just trying to find a breakpoint nearest to the code that is causing the memory overlap. CallMethod() seems to be executed a few times, once just before we get our overlap, so hopefully that will help us find the exact code that needs work.

I see. The problem is that CallMethod() is completely unrelated to our issue. You need to track calls to AddMemoryRelocationEntry() located @0x201DB4. This function has the following prototype:

Code: [Select]
int AddMemoryRelocationEntry(uint32_t src, uint32_t srcLength, uint32_t dst,
                             uint32_t dstLength, uint32_t flags);

The Power ABI prescribes that the first 7 parameters will be always passed in registers starting with R3, i.e. R3 = src, R4 = srcLength, R5 = dst, R6 = dstLength, R7 = flags. Return values will be placed in R3. For further details, see reloc.c, line 75 in my code.

The destination address "dst" will be set to NULL somewhere causing AddMemoryRelocationEntry to reserve a big block of memory @0x00000000. That's wrong and the task is to determine why that actually happens.

I suppose that the faulty call to AddMemoryRelocationEntry is located in main at 0x2059f4. "dst"(R5) will probably contain NULL. This address is also calculated there based on the value in NKSystemInfo.PhysicalMemorySize that should contain zero in your precise case.

The task is also to verify if the above mentioned conditions hold true and when they do, try to find out which code sets NKSystemInfo.PhysicalMemorySize to zero.

Thanks, I understand some of that, I'll look into it, and see if I can figure some sort of work around. I'll just have to see what goes on in Qemu with the G4 CPU and maybe that will tell me what goes wrong with the G5.

I'm sure I'll have lots of question. ;D

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #47 on: October 13, 2018, 05:21:25 AM »
Thanks, I understand some of that, I'll look into it, and see if I can figure some sort of work around.

Let's spot the issue first by answering the following questions:

  • does the call to AddMemoryRelocationEntry in the basic block at 0x2059f4 pass zero in R5? (yes/no)
  • if 1. is true, does R3 at 0x2059fc contain zero as well? (yes/no)
  • please dump the memory pointed to by R23 at 0x2059fc and post it here. The size of the dump is 320 bytes (i.e. sizeof(NKSystemInfo))

I'm sure I'll have lots of question. ;D
Don't hesitate to ask here :D

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #48 on: October 14, 2018, 03:51:51 AM »
OK, I've successfully pulled the repo. It wasn't really what I was expecting, not that I'm complaining, but I was thinking it had the code to decompile the trampoline, and maybe patch and recompile it.

Like I say, not a complaint, I'm just not real sure how to use this code to patch the trampoline.

Anywho, the recol.c seems to contain the code we are tripping over:

Code: [Select]
int AddMemoryRelocationEntry(uint32_t src, uint32_t srcLength, uint32_t dst,
                             uint32_t dstLength, uint32_t flags)
{
    int i;
    uint32_t size;
    MemRelocEntry *pEntry;
    MemRelocList  *pNewList;

    if (gMemRelocList == 0) {
        gMemRelocList = ClaimMem(sizeof(MemRelocList), 2);
        if ((int)gMemRelocList == -1)
            return 0;

        gMemRelocList->cnt.nUsedEntries = 0;
        gMemRelocList->cnt.nFreeEntries = 64;
    }

    for (i = 0; i < gMemRelocList->cnt.nUsedEntries; i++) {
        pEntry = &gMemRelocList->entries[i];
        if ((dst + dstLength) > pEntry->dst && (pEntry->dst + pEntry->dst_len) > dst) {
            printf("Overlap in AddMemoryRelocationEntry().\r");
            printf("    - dst = 0x%08X, dstLength = 0x%08X,"
                   " entry->dst = 0x%08X, entry->dst_len = 0x%08X.\r",
                   dst, dstLength, pEntry->dst, pEntry->dst_len);
            gFatalErr = 1;
            return 1;
        }
    }

    for (i = 0; i < gMemRelocList->cnt.nUsedEntries; i++) {
        pEntry = &gMemRelocList->entries[i];
        if ((src + srcLength) > pEntry->src && (pEntry->src + pEntry->src_len) > src) {
            printf("Overlap in AddMemoryRelocationEntry().\r");
            printf("    - src = 0x%08X, srcLength = 0x%08X,"
                   " entry->src = 0x%08X, entry->src_len = 0x%08X.\r",
                   src, srcLength, pEntry->src, pEntry->src_len);
            gFatalErr = 1;
            return 1;
        }
    }

I'm not real sure exactly why we are failing here, or how to insert some code here to help with debugging?

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #49 on: October 14, 2018, 04:00:15 AM »
Thanks, I understand some of that, I'll look into it, and see if I can figure some sort of work around.

Let's spot the issue first by answering the following questions:

  • does the call to AddMemoryRelocationEntry in the basic block at 0x2059f4 pass zero in R5? (yes/no)
  • if 1. is true, does R3 at 0x2059fc contain zero as well? (yes/no)
  • please dump the memory pointed to by R23 at 0x2059fc and post it here. The size of the dump is 320 bytes (i.e. sizeof(NKSystemInfo))

I'm sure I'll have lots of question. ;D
Don't hesitate to ask here :D

I'm not real sure how to do 1, 2 , or 3, I'll need some exact examples, as well as a basic overview of the process.

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #50 on: October 14, 2018, 04:11:18 AM »
Code: [Select]

Breakpoint 1, 0x00000000002059f4 in ?? ()
(gdb) display/i $pc
1: x/i $pc
=> 0x2059f4: lwz     r23,0(r26)
(gdb) stepi
0x00000000002059f8 in ?? ()
1: x/i $pc
=> 0x2059f8: addi    r6,r28,3
(gdb) stepi
0x00000000002059fc in ?? ()
1: x/i $pc
=> 0x2059fc: lwz     r3,0(r23)
(gdb)

« Last Edit: October 14, 2018, 04:24:46 AM by darthnVader »

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #51 on: October 14, 2018, 05:19:23 AM »
I'm not real sure how to do 1, 2 , or 3, I'll need some exact examples, as well as a basic overview of the process.

Well, as I already said before, you need to obtain a disassembling list for the code you're trying to debug. For that purpose, you need a disassembler. Fortunately, you have several choices: IDA Pro freeware, Hopper, Radare2...

Below the snippet of interest:

Code: [Select]
002059F4    lwz     r23, 0(r26)
002059F8    addi    r6, r28, 3
002059FC    lwz     r3, 0(r23)
00205A00    mr      r4, r28       # srcLength
00205A04    li      r7, 1         # flags
00205A08    divwu   r5, r3, r16
00205A0C    lwz     r3, 724(r1)   # src
00205A10    slwi    r5, r5, 1
00205A14    addis   r5, r5, 0x10
00205A18    clrrwi  r6, r6, 2     # dstLength
00205A1C    addi    r5, r5, -1
00205A20    clrrwi  r5, r5, 20    # dst
00205A24    bl      AddMemoryRelocationEntry

Then you set a breakpoint at 0x2059f4 and executes your target until it hits that breakpoint. To obtain a memory dump, you use GDB's "x" command:

Code: [Select]
(gdb) break *0x2059f4
(gdb) cont
...
Breakpoint 1, 0x00000000002059f4 in ?? ()
(gdb) display/i $pc
(gdb) stepi
(gdb) x/80w $r23

The last command will dump 320 bytes of memory starting with $r23, formatted as 80 big-endian double words.

The next example shows how to read the value of R5 at 0x205a20 (that's the "dst" param passed to AddMemoryRelocationEntry, see the snippet above):

Code: [Select]
(gdb) break *0x205a24
(gdb) cont
(gdb) info registers

I set a breakpoint past the instruction of interest to ensure it has been executed (that's why I set a breakpoint at 0x205a20+4). Then I dump the CPU register file with "info registers" to examine the value of R3.

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #52 on: October 14, 2018, 06:12:43 AM »
OK, I've successfully pulled the repo. It wasn't really what I was expecting, not that I'm complaining, but I was thinking it had the code to decompile the trampoline, and maybe patch and recompile it.

You expected to find the source code for a full-blown PPC decompiler there?

I wonder how you interpret the term "decompilation".

Mapping some binary code to a list of processor mnemonics (i.e. disassembly) is relatively easy. That's what a tool called "disassembler" is capable of performing automatically. Well, near automatically.

Reconstructing a high-level source code for a compiled executable program (in other words, "decompilation" as the inverse of "compilation") is, in contrast, an enormously hard task. No tool doing that ever existed and will likely never exist.

Decompilation is mostly carried out by humans using various program analysis tools. For further details, please refer to this thread: http://macos9lives.com/smforum/index.php/topic,3953.0.html

I'm just not real sure how to use this code to patch the trampoline.

My code is a translation from PPC Asm to C. You find a bug on the binary level, fix it in the C source and then recompile the whole Trampoline using a PowerPC C compiler (gcc, MPW's MrC, whatsoever). Then you bundle this new version in a custom "Mac OS ROM" file using CDG5 tools (https://github.com/elliotnunn/newworld-rom) and replace the ROM file shipped with Mac OS with your "fixed" version.

That's how it supposed to work. I call it "high-level hacking". The reality is a bit different: the decompiled code must be complete and compilable. That's what I'm currently working on.

I'm not real sure exactly why we are failing here, or how to insert some code here to help with debugging?

Until I complete Trampoline's decompilation, you'll have to resort to the "low-level hacking", that is, working on the binary/Asm level. The decompiled code should help to understand how the binary program works, which data it uses and how this data is laid out in memory. The missing mapping between the C source and its compiled form must be done in our brains. ???

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #53 on: October 14, 2018, 06:13:31 AM »
Code: [Select]
Breakpoint 1, 0x00000000002059f4 in ?? ()
1: x/i $pc
=> 0x2059f4: lwz     r23,0(r26)
(gdb) display/i $pc
2: x/i $pc
=> 0x2059f4: lwz     r23,0(r26)
(gdb) stepi
0x00000000002059f8 in ?? ()
2: x/i $pc
=> 0x2059f8: addi    r6,r28,3
1: x/i $pc
=> 0x2059f8: addi    r6,r28,3
(gdb)  x/80w $r23
0x3fec0000: 0 0 0 0
0x3fec0010: 0 0 0 0
0x3fec0020: 0 0 0 0
0x3fec0030: 0 12582912 15040512 684032
0x3fec0040: 16777216 -16777216 0 0
0x3fec0050: 0 0 0 0
0x3fec0060: 0 0 0 0
0x3fec0070: 0 0 0 0
0x3fec0080: 0 0 0 0
0x3fec0090: 0 0 0 0
0x3fec00a0: 0 0 0 0
0x3fec00b0: 0 0 0 0
0x3fec00c0: 0 0 0 0
0x3fec00d0: 0 0 0 0
0x3fec00e0: 0 0 0 0
0x3fec00f0: 0 0 0 0
0x3fec0100: -2147221504 0 0 0
0x3fec0110: 0 0 0 0
0x3fec0120: 0 0 53 -805306368
0x3fec0130: 0 0 0 0
(gdb) break *0x205a24
Breakpoint 2 at 0x205a24
(gdb) cont
Continuing.

Breakpoint 2, 0x0000000000205a24 in ?? ()
2: x/i $pc
=> 0x205a24: bl      0x201db4
1: x/i $pc
=> 0x205a24: bl      0x201db4
(gdb) info register
r0             0x2059ec 2120172
r1             0x116a28 1141288
r2             0x1001e8 1049064
r3             0x3f280000 1059586048
r4             0x48498 296088
r5             0x0 0
r6             0x48498 296088
r7             0x1 1
r8             0x0 0
r9             0x11669c 1140380
r10            0x106e84 1076868
r11            0x106e8b 1076875
r12            0x1198b8 1153208
r13            0x0 0
r14            0x100698 1050264
r15            0xa 10
r16            0x3 3
r17            0x3fee1000 1072566272
r18            0x3fee1000 1072566272
r19            0x106e48 1076808
r20            0x3fee1000 1072566272
r21            0x8 8
r22            0x117818 1144856
---Type <return> to continue, or q <return> to quit---
r23            0x3fec0000 1072431104
r24            0x8 8
r25            0x816116f9 2170623737
r26            0x117080 1142912
r27            0x1170ac 1142956
r28            0x48498 296088
r29            0x106b34 1076020
r30            0x117088 1142920
r31            0x117084 1142916
pc             0x205a24 0x205a24
msr            0x3030 12336
cr             0x22400244 574620228
lr             0x2059ec 0x2059ec
ctr            0xfff025d0 4293928400
xer            0x0 0
(gdb)

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #54 on: October 14, 2018, 06:26:22 AM »
OK, I've successfully pulled the repo. It wasn't really what I was expecting, not that I'm complaining, but I was thinking it had the code to decompile the trampoline, and maybe patch and recompile it.

You expected to find the source code for a full-blown PPC decompiler there?

I wonder how you interpret the term "decompilation".

Mapping some binary code to a list of processor mnemonics (i.e. disassembly) is relatively easy. That's what a tool called "disassembler" is capable of performing automatically. Well, near automatically.

Reconstructing a high-level source code for a compiled executable program (in other words, "decompilation" as the inverse of "compilation") is, in contrast, an enormously hard task. No tool doing that ever existed and will likely never exist.

Decompilation is mostly carried out by humans using various program analysis tools. For further details, please refer to this thread: http://macos9lives.com/smforum/index.php/topic,3953.0.html

I'm just not real sure how to use this code to patch the trampoline.

My code is a translation from PPC Asm to C. You find a bug on the binary level, fix it in the C source and then recompile the whole Trampoline using a PowerPC C compiler (gcc, MPW's MrC, whatsoever). Then you bundle this new version in a custom "Mac OS ROM" file using CDG5 tools (https://github.com/elliotnunn/newworld-rom) and replace the ROM file shipped with Mac OS with your "fixed" version.

That's how it supposed to work. I call it "high-level hacking". The reality is a bit different: the decompiled code must be complete and compilable. That's what I'm currently working on.

I'm not real sure exactly why we are failing here, or how to insert some code here to help with debugging?

Until I complete Trampoline's decompilation, you'll have to resort to the "low-level hacking", that is, working on the binary/Asm level. The decompiled code should help to understand how the binary program works, which data it uses and how this data is laid out in memory. The missing mapping between the C source and its compiled form must be done in our brains. ???

OK, I see, I realize how hard it must have been to get the source files you have in the repo, as I've made attempts at reverse engineering binary data before. Normally I just revert to binary hacks in a hex editor, tho in this case I'm going to have to get my hands dirty and learn some new tricks. ;D

I was just kind of hoping things would be a little easer, but it's ok. I was really just hoping for a makefile and some instructions on how to build in WPM or something, but I can see it's move involved  than that, as the trampoline is just one part of the Mac OS ROM.

A lot of these things are beyond my understanding, at this point, so forgive my ignorance.   

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #55 on: October 14, 2018, 06:56:25 AM »
Code: [Select]
Breakpoint 1, 0x00000000002059f4 in ?? ()
1: x/i $pc
=> 0x2059f4: lwz     r23,0(r26)
(gdb) display/i $pc
2: x/i $pc
=> 0x2059f4: lwz     r23,0(r26)
(gdb) stepi
0x00000000002059f8 in ?? ()
2: x/i $pc
=> 0x2059f8: addi    r6,r28,3
1: x/i $pc
=> 0x2059f8: addi    r6,r28,3
(gdb)  x/80w $r23
0x3fec0000: 0 0 0 0
0x3fec0010: 0 0 0 0
0x3fec0020: 0 0 0 0
0x3fec0030: 0 12582912 15040512 684032
0x3fec0040: 16777216 -16777216 0 0
0x3fec0050: 0 0 0 0
0x3fec0060: 0 0 0 0
0x3fec0070: 0 0 0 0
0x3fec0080: 0 0 0 0
0x3fec0090: 0 0 0 0
0x3fec00a0: 0 0 0 0
0x3fec00b0: 0 0 0 0
0x3fec00c0: 0 0 0 0
0x3fec00d0: 0 0 0 0
0x3fec00e0: 0 0 0 0
0x3fec00f0: 0 0 0 0
0x3fec0100: -2147221504 0 0 0
0x3fec0110: 0 0 0 0
0x3fec0120: 0 0 53 -805306368
0x3fec0130: 0 0 0 0
(gdb) break *0x205a24
Breakpoint 2 at 0x205a24
(gdb) cont
Continuing.

Breakpoint 2, 0x0000000000205a24 in ?? ()
2: x/i $pc
=> 0x205a24: bl      0x201db4
1: x/i $pc
=> 0x205a24: bl      0x201db4
(gdb) info register
r0             0x2059ec 2120172
r1             0x116a28 1141288
r2             0x1001e8 1049064
r3             0x3f280000 1059586048
r4             0x48498 296088
r5             0x0 0
r6             0x48498 296088
r7             0x1 1
r8             0x0 0
r9             0x11669c 1140380
r10            0x106e84 1076868
r11            0x106e8b 1076875
r12            0x1198b8 1153208
r13            0x0 0
r14            0x100698 1050264
r15            0xa 10
r16            0x3 3
r17            0x3fee1000 1072566272
r18            0x3fee1000 1072566272
r19            0x106e48 1076808
r20            0x3fee1000 1072566272
r21            0x8 8
r22            0x117818 1144856
---Type <return> to continue, or q <return> to quit---
r23            0x3fec0000 1072431104
r24            0x8 8
r25            0x816116f9 2170623737
r26            0x117080 1142912
r27            0x1170ac 1142956
r28            0x48498 296088
r29            0x106b34 1076020
r30            0x117088 1142920
r31            0x117084 1142916
pc             0x205a24 0x205a24
msr            0x3030 12336
cr             0x22400244 574620228
lr             0x2059ec 0x2059ec
ctr            0xfff025d0 4293928400
xer            0x0 0
(gdb)

Thanks. That dumps have answered all three questions of mine. AddMemoryRelocationEntry is called with dst=0 which usually shouldn't happen. The value of dst is calculated using the following C statement:

Code: [Select]
dst = (NKSystemInfo.PhysicalMemorySize / 3 * 2 + 0xFFFFF) & 0xFFF00000;
In other words, it takes 2/3 of the available physical memory and align that amount to the 1MB boundary. This will be the physical destination address for the flattened device tree.

In your precise case, that destination address is 0x00000000 because NKSystemInfo.PhysicalMemorySize contains zero. That's the reason why the consequent calls to AddMemoryRelocationEntry fail.

Would you kindly verify which calls to AddMemoryRelocationEntry report overlapping? To achieve that, you need to set the following breakpoints (each one past a blr AddMemoryRelocationEntry):

0x205A28 (shouldn't report any error)
0x205A58
0x205A88
0x205AC8
0x205B08
0x205B48

Everytime each of these breakpoints is reached and NO error appears in the QEMU console, mark the corresponding call as "false". Otherwise, mark it as "true".

Moreover, I'd appreciate a memory dump at "src", i.e.

Code: [Select]
break *0x205A24
cont
x/32xb $r3

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #56 on: October 14, 2018, 07:38:20 AM »
Code: [Select]
0x205A28 (shouldn't report any error)
0x205A58 false
0x205A88 true
0x205AC8 true
0x205B08 true
0x205B48 true

Code: [Select]
(gdb) break *0x205A24
Note: breakpoint 7 also set at pc 0x205a24.
Breakpoint 8 at 0x205a24
(gdb) cont
Continuing.

Breakpoint 7, 0x0000000000205a24 in ?? ()
(gdb) x/32xb $r3
0x3fad8000: 0x50 0x4d 0x52 0x26 0x42 0x47 0x73 0x54
0x3fad8008: 0x72 0x65 0x65 0x00 0x00 0x00 0x00 0x00
0x3fad8010: 0x00 0x00 0x00 0x0c 0x00 0x02 0xef 0x70
0x3fad8018: 0x00 0x00 0x00 0x0c 0x00 0x00 0x00 0x00
(gdb)

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #57 on: October 14, 2018, 09:57:23 AM »
Code: [Select]
0x205A28 (shouldn't report any error)
0x205A58 false
0x205A88 true
0x205AC8 true
0x205B08 true
0x205B48 true

According to the error log reported earlier, 0x205A58 is expected to fail as well. Can you recheck?

Code: [Select]
0x3fad8000: 0x50 0x4d 0x52 0x26 0x42 0x47 0x73 0x54
0x3fad8008: 0x72 0x65 0x65 0x00 0x00 0x00 0x00 0x00
0x3fad8010: 0x00 0x00 0x00 0x0c 0x00 0x02 0xef 0x70
0x3fad8018: 0x00 0x00 0x00 0x0c 0x00 0x00 0x00 0x00
(gdb)

Yes, that's the beginning of the flattened device tree. ;D

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #58 on: October 14, 2018, 10:13:42 AM »
Code: [Select]
0x205A28 (shouldn't report any error)
0x205A58 false
0x205A88 true
0x205AC8 true
0x205B08 true
0x205B48 true

According to the error log reported earlier, 0x205A58 is expected to fail as well. Can you recheck?

Code: [Select]
0x3fad8000: 0x50 0x4d 0x52 0x26 0x42 0x47 0x73 0x54
0x3fad8008: 0x72 0x65 0x65 0x00 0x00 0x00 0x00 0x00
0x3fad8010: 0x00 0x00 0x00 0x0c 0x00 0x02 0xef 0x70
0x3fad8018: 0x00 0x00 0x00 0x0c 0x00 0x00 0x00 0x00
(gdb)

Yes, that's the beginning of the flattened device tree. ;D

0x20a58 does fail.

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #59 on: October 14, 2018, 10:18:26 AM »
It's worth trying to set R5 before AddMemoryRelocationEntry to the correct value to see if it fixes that fatal error.

Code: [Select]
(gdb) break *0x205A24
(gdb) cont
(gdb) set $r5=0x2AB00000
(gdb) cont

0x2AB00000 is calculated from the assigned physical memory, i.e. ((1024*1024*1024) / 3 * 2 + 0xFFFFF) & 0xFFF0000 = 0x2AB00000.

I'm curious what happens then...

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #60 on: October 14, 2018, 10:28:56 AM »
It's worth trying to set R5 before AddMemoryRelocationEntry to the correct value to see if it fixes that fatal error.

Code: [Select]
(gdb) break *0x205A24
(gdb) cont
(gdb) set $r5=0x2AB00000
(gdb) cont

0x2AB00000 is calculated from the assigned physical memory, i.e. ((1024*1024*1024) / 3 * 2 + 0xFFFFF) & 0xFFF0000 = 0x2AB00000.

I'm curious what happens then...

Off to MacOS.  The next (and last) call into OpenFirmware is quiesce(). ;D

Never boots tho, I removed --nographic, and tried both the 970 and the 970fx.

I'm not getting any errors, the system just stays at the OB prompt with the last line:

Code: [Select]
Off to MacOS.  The next (and last) call into OpenFirmware is quiesce().
« Last Edit: October 14, 2018, 10:47:08 AM by darthnVader »

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #61 on: October 14, 2018, 11:24:22 AM »
Off to MacOS.  The next (and last) call into OpenFirmware is quiesce(). ;D

Terrific! We're on the right track  ;)

Never boots tho, I removed --nographic, and tried both the 970 and the 970fx.

I'm not getting any errors, the system just stays at the OB prompt with the last line:

Code: [Select]
Off to MacOS.  The next (and last) call into OpenFirmware is quiesce().

Yes, I suspect a silent crash in the RelocationEngine due to the use of unsupported BATs. We'll fix it later.

Let's figure out where and why NKSystemInfo.PhysicalMemorySize is set to zero.

Breakpoint at 0x2052F0, dword at $r26 will contain the pointer to NKSystemInfo. I need a dump of NKSystemInfo at this location.

Code: [Select]
(gdb) break *0x2052F0
(gdb) cont
(gdb) x/1xw $r26
GDB will display an address here
(gdb) x/8xw *address shown above

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #62 on: October 14, 2018, 05:47:32 PM »
Code: [Select]
Breakpoint 1, 0x00000000002052f0 in ?? ()
(gdb)  x/1xw $r26
0x117080: 0x3fee5000
(gdb) x/8xw *0x3fee5000
0x40000000: Cannot access memory at address 0x40000000
(gdb) x/8xw *0x117080
0x3fee5000: 0x40000000 0x40000000 0x00000000 0x00000000
0x3fee5010: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb)

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #63 on: October 14, 2018, 11:30:49 PM »
Code: [Select]
Breakpoint 1, 0x00000000002052f0 in ?? ()
(gdb)  x/1xw $r26
0x117080: 0x3fee5000
(gdb) x/8xw *0x3fee5000
0x40000000: Cannot access memory at address 0x40000000
(gdb) x/8xw *0x117080
0x3fee5000: 0x40000000 0x40000000 0x00000000 0x00000000
0x3fee5010: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb)

Thanks. The NKSystemInfo structure is located at 0x3fee5000. The first two dwords - PhysicalMemorySize and UsableMemorySize - contain the correct value of 0x40000000 (= 1024MB). The full definition of this structure is located in macosstructs.h:142.

Next step is to find out where these both fields will be set to zero. You'd need to work with watchpoints here to monitor access to 0x3fee5000 between 0x2052F0 and 0x205A24.

Code: [Select]
(gdb) break *0x2052F0
(gdb) break *0x205A24
(gdb) cont
(gdb) x/8xw *0x117080 (to verify the address for the command below)
(gdb) watch *0x3fee5000
(gdb) cont

Run this commands and record all addresses where 0x3fee5000 is accessed until the execution reaches 0x205A24. I hope this will work.

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #64 on: October 15, 2018, 12:03:58 AM »
Code: [Select]
(gdb)  break *0x2052F0
Breakpoint 1 at 0x2052f0
(gdb) break *0x205A24
Breakpoint 2 at 0x205a24
(gdb) target remote localhost:1234
A program is being debugged already.  Kill it? (y or n) y
Remote debugging using localhost:1234

Program received signal SIGTRAP, Trace/breakpoint trap.
0x00000000fff00100 in ?? ()
(gdb) cont
Continuing.

Breakpoint 1, 0x00000000002052f0 in ?? ()
(gdb) x/8xw *0x117080
0x3fee5000: 0x40000000 0x40000000 0x00000000 0x00000000
0x3fee5010: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) watch *0x3fee5000
Hardware watchpoint 3: *0x3fee5000
(gdb) watch *0x3fee5010
Hardware watchpoint 4: *0x3fee5010
(gdb) cont
Continuing.
Hardware watchpoint 3: *0x3fee5000

Old value = 1073741824
New value = 0
0x000000000020fd94 in ?? ()
(gdb)

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #65 on: October 15, 2018, 12:21:04 AM »
Code: [Select]
(gdb) cont
Continuing.
Hardware watchpoint 3: *0x3fee5000

Old value = 0
New value = 1073741824
0x000000000020271c in ?? ()
(gdb) cont
Continuing.

Breakpoint 1, 0x00000000002052f0 in ?? ()
(gdb) cont
Continuing.
Hardware watchpoint 3: *0x3fee5000

Old value = 1073741824
New value = 0
0x000000000020fd94 in ?? ()
(gdb) cont
Continuing.

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #66 on: October 15, 2018, 12:31:59 AM »
Here is what it looks like for the G4 CPU:

Code: [Select]
(gdb) target remote localhost:1234
Remote debugging using localhost:1234
0x00000000fff00100 in ?? ()
(gdb) cont
Continuing.
Hardware watchpoint 3: *0x3fee5000

Old value = 0
New value = 1073741824
0x000000000020271c in ?? ()
(gdb) cont
Continuing.

Breakpoint 1, 0x00000000002052f0 in ?? ()
(gdb) cont
Continuing.

Breakpoint 2, 0x0000000000205a24 in ?? ()
(gdb) cont
Continuing.
Hardware watchpoint 3: *0x3fee5000

Old value = 1073741824
New value = 1073725440
0x0000000000f105a0 in ?? ()
(gdb) cont
Continuing.

Are we jumping off into nowhere on the G5?
« Last Edit: October 15, 2018, 12:50:28 AM by darthnVader »

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #67 on: October 15, 2018, 04:23:27 AM »
Can you please trace past the "blr" instruction at 0x20fda4 to obtain the address this subroutine returns to?

Alternatively, you just can dump the register file at the watchpoint 0x20fd94 and post the value of LR (link register) here. No need to trace anything at all...
« Last Edit: October 15, 2018, 04:42:31 AM by powermax »

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #68 on: October 15, 2018, 04:50:17 AM »
Are we jumping off into nowhere on the G5?

No, I don't think so. We probably hit an exception when running the RelocationEngine on G5. At this time, because we don't have any OS running (OF has been shut down, Mac OS Nanokernel hasn't started yet), no recovering from low-level exceptions is possible so the CPU much likely enters the machine check state (that is, it hangs waiting for reset)...

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #69 on: October 15, 2018, 07:02:55 AM »
Can you please trace past the "blr" instruction at 0x20fda4 to obtain the address this subroutine returns to?

Alternatively, you just can dump the register file at the watchpoint 0x20fd94 and post the value of LR (link register) here. No need to trace anything at all...

Not sure how to do either?

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #70 on: October 15, 2018, 10:34:59 AM »
Not sure how to do either?

Code: [Select]
(gdb) break *0x2052F0
(gdb) cont
(gdb) watch *0x3fee5000
(gdb) cont

Old value = 1073741824
New value = 0
0x000000000020fd94 in ?? ()
(gdb) p/x $lr

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #71 on: October 15, 2018, 11:49:55 AM »
Code: [Select]
(gdb) break *0x2052F0
Breakpoint 1 at 0x2052f0
(gdb) cont
Continuing.

Breakpoint 1, 0x00000000002052f0 in ?? ()
(gdb)  watch *0x3fee5000
Hardware watchpoint 2: *0x3fee5000
(gdb) cont
Continuing.
Hardware watchpoint 2: *0x3fee5000

Old value = 1073741824
New value = 0
0x000000000020fd94 in ?? ()
(gdb) p/x $lr
$1 = 0x20fbb4
(gdb)

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #72 on: October 15, 2018, 12:07:35 PM »
Code: [Select]
(gdb) break *0x2052F0
Breakpoint 1 at 0x2052f0
(gdb) cont
Continuing.

Breakpoint 1, 0x00000000002052f0 in ?? ()
(gdb)  watch *0x3fee5000
Hardware watchpoint 2: *0x3fee5000
(gdb) cont
Continuing.
Hardware watchpoint 2: *0x3fee5000

Old value = 1073741824
New value = 0
0x000000000020fd94 in ?? ()
(gdb) p/x $lr
$1 = 0x20fbb4
(gdb)

Can you also print the value of $r12 at the same location?

Offline darthnVader

  • Gold Member
  • *****
  • Posts: 389
  • New Member
Re: G5 qemu attempts.
« Reply #73 on: October 15, 2018, 02:44:57 PM »
This?

Code: [Select]
(gdb) break *0x2052F0
Breakpoint 1 at 0x2052f0
(gdb) cont
Continuing.

Breakpoint 1, 0x00000000002052f0 in ?? ()
(gdb)  watch *0x3fee5000
Hardware watchpoint 2: *0x3fee5000
(gdb) cont
Continuing.
Hardware watchpoint 2: *0x3fee5000

Old value = 1073741824
New value = 0
0x000000000020fd94 in ?? ()
(gdb) p/x $lr
$1 = 0x20fbb4
(gdb) p/x $r12
$2 = 0x203cec
(gdb)

Offline powermax

  • Consistant Contributor
  • ***
  • Posts: 80
  • Hobbyist programmer
Re: G5 qemu attempts.
« Reply #74 on: October 15, 2018, 04:22:11 PM »
Code: [Select]
Old value = 1073741824
New value = 0
0x000000000020fd94 in ?? ()
(gdb) p/x $lr
$1 = 0x20fbb4
(gdb) p/x $r12
$2 = 0x203cec
(gdb)

Yes, thanks a lot! The address 0x20fd94 belongs to the function bcopy() that simply copies bytes from src to dst. So bcopy() itself isn't a problem but merely another function that calls bcopy.

$r12 contains return address to the caller of bcopy: 0x203cec belongs to MakeROMAreas() in main.c:39, originated at 0x203b88.

Could you set a breakpoint at 0x203ce8 (that's the call to bcopy), run the code until it hits that BP and tell me what do $r3, $r4 and $r5 contain there? These will contain parameters for bcopy...